Platform: Code4rena
Start Date: 21/08/2023
Pot Size: $125,000 USDC
Total HM: 26
Participants: 189
Period: 16 days
Judge: GalloDaSballo
Total Solo HM: 3
Id: 278
League: ETH
Rank: 167/189
Findings: 1
Award: $0.07
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xrafaelnicolau
Also found by: 0x111, 0xCiphky, 0xMosh, 0xWaitress, 0xc0ffEE, 0xkazim, 0xnev, 0xvj, ABAIKUNANBAEV, Aymen0909, Baki, ElCid, HChang26, HHK, Inspex, Jorgect, Kow, Krace, KrisApostolov, LFGSecurity, MiniGlome, Nyx, QiuhaoLi, RED-LOTUS-REACH, Talfao, Toshii, Vagner, Viktor_Cortess, Yanchuan, _eperezok, asui, atrixs6, bart1e, bin2chen, carrotsmuggler, chaduke, chainsnake, deadrxsezzz, degensec, dethera, dimulski, dirk_y, ether_sky, gizzy, glcanvas, grearlake, gumgumzum, halden, hals, kodyvim, koo, ladboy233, lanrebayode77, max10afternoon, minhtrng, mussucal, nobody2018, peakbolt, pontifex, qbs, ravikiranweb3, rvierdiiev, said, tapir, ubermensch, volodya, wintermute, yashar, zaevlad, zzebra83
0.0734 USDC - $0.07
function sync() may get DOS'ed permanently .
In function addToDelegate , the totalWethDelegated varaible is used to track the amount of Weth delegated for bonding . However it is not decreased when Weth is withdrawed from the protocol .This is problamatic cause this may parmanently DOS the sync() function .
The sync() function is used to rebalance different token balances .. According to the protocol team " Its to sync the reserves in the core contract so if we have the AMO's perform market operations then anyone can call sync." It is an important function in the protocol .
The function looks like this :
function sync() external { //Syncs the different token ballances .. //@n but this is not called anywhere in the contract for (uint256 i = 1; i < reserveAsset.length; i++) { uint256 balance = IERC20WithBurn(reserveAsset[i].tokenAddress).balanceOf( address(this) ); if (weth == reserveAsset[i].tokenAddress) { balance = balance - totalWethDelegated; //<----- this will underflow and revert if totalwethdelegated is larger than the balance and DOS the function everytie it's being called } reserveAsset[i].tokenBalance = balance; } emit LogSync(); }
Here , if the asset is Weth , then Weth balance of the contract is cached first , then totalWethDelegated is substracted from the cached balance and then reserveAsset[i].tokenBalance is updated.
The problem here is totalWethDelegated varaiable may get larger than the Weth balance of the contract . In that scenario , solidity 0.8.19 will revert the function call bacause of the underflow and reserveAsset[i].tokenBalance cannot be updated anymore which is crucial for the protocol to function properly .
Also , an attacker can maliciously call the addToDelegate function and withdraw function repeatedly with a good amount of weth to increase totalWethDelegated varaiable and exploit the given issue by just paying a small amount of gas fees .
Manual Review
Mitigation is simple .
Decrease the totalWethDelegated varaiable while withdrawing delegeated weth from the protocol to mitigate the issue .
DoS
#0 - c4-pre-sort
2023-09-08T12:18:26Z
bytes032 marked the issue as duplicate of #2186
#1 - c4-judge
2023-10-20T17:52:50Z
GalloDaSballo marked the issue as satisfactory
#2 - c4-judge
2023-10-20T17:55:32Z
GalloDaSballo changed the severity to 2 (Med Risk)
#3 - c4-judge
2023-10-21T07:38:54Z
GalloDaSballo changed the severity to 3 (High Risk)
#4 - c4-judge
2023-10-21T07:40:48Z
GalloDaSballo marked the issue as partial-50