Numoen contest - 0xhacksmithh's results

Lines of code

https://github.com/code-423n4/2023-01-numoen/blob/main/src/core/Lendgine.sol#L99

Vulnerability details

Impact

with deflationary token mint function never succeed

Proof of Concept

mint() function checking if (balanceAfter < balanceBefore + collateral) revert InsufficientInputError(); i.e balanceAfter should greater or equal to balanceBefore + collateral

But in case of fee-on transfer tokens some amount will burn from sending amount i.e collateral that sent > collateral that received

so balanceAfter is always less than balanceBefore + collateral in case of fee-on-transfer tokens

function mint(
    address to,
    uint256 collateral,
    bytes calldata data
  )
    external
    override
    nonReentrant
    returns (uint256 shares)
  {
    _accrueInterest();

    uint256 liquidity = convertCollateralToLiquidity(collateral);
    shares = convertLiquidityToShare(liquidity);

    if (collateral == 0 || liquidity == 0 || shares == 0) revert InputError();
    if (liquidity > totalLiquidity) revert CompleteUtilizationError();
    // next check is for the case when liquidity is borrowed but then was completely accrued
    if (totalSupply > 0 && totalLiquidityBorrowed == 0) revert CompleteUtilizationError();

    totalLiquidityBorrowed += liquidity;  // @audit 36
    (uint256 amount0, uint256 amount1) = burn(to, liquidity); // @audit same function name
    _mint(to, shares);

    uint256 balanceBefore = Balance.balance(token1);
    IMintCallback(msg.sender).mintCallback(collateral, amount0, amount1, liquidity, data);
    uint256 balanceAfter = Balance.balance(token1);

    if (balanceAfter < balanceBefore + collateral) revert InsufficientInputError();   // @audit-issue this logic will breake with defalmantionary tokens

    emit Mint(msg.sender, collateral, shares, liquidity, to);
  }

Tools Used

Manual review

Recommended Mitigation Steps

Some logic change should made to support fee-on-transfer tokens