Back to 0xRobocop's contests

Inverse Finance contest - 0xRobocop's results

Rethink the way you borrow.

General Information

Platform: Code4rena

Start Date: 25/10/2022

Pot Size: $50,000 USDC

Total HM: 18

Participants: 127

Period: 5 days

Judge: 0xean

Total Solo HM: 9

Id: 175

League: ETH

Inverse Finance

Findings Distribution

Researcher Performance

Rank: 39/127

Findings: 1

Award: $156.27

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryInverse Finance

Findings Information

🌟 Selected for report: rbserver

Also found by: 0xRobocop, Ch_301, ElKu, Jeiwan, MiloTruck, Picodes, sam_cunningham

Labels

bug
2 (Med Risk)
satisfactory
duplicate-583

Awards

156.2673 USDC - $156.27

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L531

Vulnerability details

Impact

An user can repay all of his debt, and withdraw all his collateral calling the repayAndWithdraw function with uint withdrawAmount equal as debts[user] as input parameter, even if it has a deficit of DBR tokens.

Proof of Concept

There is not a requirement of not having a deficit of DBR tokens to be able to withdraw your collateral. It is true that a user that incurs in a deficit have the risk of someone calling forceReplenish on him, but if the user can front-run it, then the user will not need to pay for his DBR deficit.

To test this, i wrote the next test:

function testRepayAndWithdrawWitoutPayingDeficit() public {
        uint newWethTestAmount = 5 ether;
        gibWeth(user, newWethTestAmount);
        
        vm.startPrank(user);

        // Userr deposits 5 ether as collateral
        deposit(newWethTestAmount);

        assertEq(WETH.balanceOf(address(market.escrows(user))), newWethTestAmount, "failed to deposit WETH");
        assertEq(WETH.balanceOf(user), 0, "failed to deposit WETH");

        // The userr has no deficit
        assertEq(dbr.deficitOf(user), 0, "Incorrect Deficit");

        // He borrows 10 DOLA
        market.borrow(10 ether);

        // 1 year into the future
        vm.warp(block.timestamp + 365 days);
        
        // The user has a deficit of 10 DBR
        assertEq(dbr.deficitOf(user), 10 ether, "Incorrect Deficit");

        // But he is able to repay all the debt and withdraw all the collateral when having a DBR deficit.
        market.repayAndWithdraw(10 ether, newWethTestAmount);
        
        assertEq(WETH.balanceOf(address(market.escrows(user))), 0, "failed to withdraw WETH");
        assertEq(WETH.balanceOf(user), newWethTestAmount, "failed to withdraw WETH");
    }

Tools Used

Manual review

Don't allow to withdraw the collateral if the user has a deficit of DBR tokens.

#0 - c4-judge

2022-11-05T21:25:23Z

0xean marked the issue as duplicate

#1 - Simon-Busch

2022-12-05T15:38:29Z

Issue marked as satisfactory as requested by 0xean

#2 - c4-judge

2022-12-07T08:16:07Z

Simon-Busch marked the issue as duplicate of #583

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter