Platform: Code4rena
Start Date: 07/08/2023
Pot Size: $36,500 USDC
Total HM: 11
Participants: 125
Period: 3 days
Judge: alcueca
Total Solo HM: 4
Id: 274
League: ETH
Rank: 114/125
Findings: 1
Award: $4.23
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: RED-LOTUS-REACH
Also found by: 0x3b, 0x4non, 0xCiphky, 0xDING99YA, 0xDetermination, 0xE1, 0xG0P1, 0xStalin, 0xWaitress, 0xbrett8571, 0xhacksmithh, 0xkazim, 0xmuxyz, 0xweb3boy, 14si2o_Flint, AlexCzm, Alhakista, Bube, Bughunter101, Deekshith99, Eeyore, Giorgio, HChang26, InAllHonesty, JP_Courses, KmanOfficial, MatricksDeCoder, Mike_Bello90, MrPotatoMagic, Naubit, QiuhaoLi, RHaO-sec, Raihan, Rolezn, SUPERMAN_I4G, Shubham, Silverskrrrt, Strausses, T1MOH, Topmark, Tripathi, Watermelon, _eperezok, aakansha, auditsea, audityourcontracts, ayden, carlos__alegre, castle_chain, cducrest, ch0bu, d23e, deadrxsezzz, deth, devival, erebus, fatherOfBlocks, halden, hassan-truscova, hpsb, hunter_w3b, imkapadia, immeas, jat, kaden, kaveyjoe, klau5, koxuan, kutugu, ladboy233, lanrebayode77, leasowillow, lsaudit, markus_ether, matrix_0wl, merlin, nemveer, ni8mare, nonseodion, oakcobalt, owadez, p_crypt0, pipidu83, piyushshukla, popular00, ppetrov, rjs, sandy, sl1, supervrijdag, tay054, thekmj, wahedtalash77, windhustler, zhaojie
4.2289 USDC - $4.23
https://github.com/code-423n4/2023-08-verwa/blob/a693b4db05b9e202816346a6f9cada94f28a2698/src/LendingLedger.sol#L129-L143 https://github.com/code-423n4/2023-08-verwa/blob/a693b4db05b9e202816346a6f9cada94f28a2698/src/LendingLedger.sol#L204-L207
Users who have not provided liquidity can still claim Canto
The identified vulnerability pertains to the situation where a lending market undergoes blacklisting, leading to the preservation of user balances and market balance history. This potential security issue can be illustrated through the following scenario:
Consider a scenario in which Alice participates by providing 100 tokens as liquidity to a lending market during the X Epoch.
Subsequently, Alice proceeds to claim rewards for each subsequent epoch (X + 1, X + 2, ...).
After a certain number of epochs, the governance of the lending market decides to impose a blacklist on the market.
Alice performs a withdrawal of her 100 tokens from the lending market. The attempt to synchronize the ledger through the execution of the sync_ledger function results in a reversion due to the blacklisting of the lending market. It is assumed that the lending market employs a try/catch mechanism to handle the reversion of the sync_ledger function. Consequently, Alice's balance within the lending market is reduced to zero.
Following a subsequent span of epochs, the lending market's blacklisting is lifted, effectively whitelisting the market once again. It's important to note that Alice's balance history is preserved within the lendingLedger.
Given this preserved balance history, Alice is enabled to claim rewards, despite the fact that she had previously withdrawn her 100 tokens from the lending market. This withdrawal, however, remains unrecorded as a consequence of the reversion experienced during the blacklisting period.
Manual review
Introducing a potential resolution involves granting the lending market the capability to execute the sync_ledger function during the withdrawal of liquidity (Delta is negative). By doing so, both the user's balance and the market balance can be appropriately modified, even in scenarios where the lending market undergoes blacklisting. This approach ensures that when the lending market is eventually whitelisted, operational functionality is seamlessly restored.
Context
#0 - c4-pre-sort
2023-08-13T01:29:33Z
141345 marked the issue as low quality report
#1 - c4-pre-sort
2023-08-13T01:34:08Z
141345 marked the issue as primary issue
#2 - c4-pre-sort
2023-08-13T05:14:45Z
141345 marked the issue as duplicate of #270
#3 - c4-pre-sort
2023-08-13T14:41:52Z
141345 marked the issue as remove high or low quality report
#4 - c4-judge
2023-08-25T10:14:52Z
alcueca marked the issue as not a duplicate
#5 - c4-judge
2023-08-25T10:14:57Z
alcueca changed the severity to QA (Quality Assurance)
#6 - alcueca
2023-08-25T10:15:12Z
Duplicate of #39, which is QA
#7 - c4-judge
2023-08-25T10:15:22Z
alcueca marked the issue as grade-b