Platform: Code4rena
Start Date: 08/05/2023
Pot Size: $90,500 USDC
Total HM: 17
Participants: 102
Period: 7 days
Judge: 0xean
Total Solo HM: 4
Id: 236
League: ETH
Rank: 40/102
Findings: 2
Award: $258.70
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Team_Rocket
Also found by: 0xkazim, BPZ, Bauchibred, BoltzmannBrain, Brenzee, DeliChainSec, Franfran, Lilyjjo, MohammedRizwan, SaeedAlipoor01988, Yardi256, ast3ros, berlin-101, carlitox477, fs0c, peritoflores, sashik_eth, sces60107, thekmj, volodya, zzykxx
66.5871 USDC - $66.59
blockPerYear value in WhitePaperInterestRateModel.sol contract is incorrect for protocol since Venus will deploy these contracts to Binance Smart Chain.
In WhitePaperInterestRateModel.sol contract blockPerYear constant value is 2102400.
/** * @notice The approximate number of blocks per year that is assumed by the interest rate model */ uint256 public constant blocksPerYear = 2102400; // @audit - BSC block time is 3 seconds, so this is not correct.
This is incorrect, because there are more blocks per year on Binance Smart Chain.
BSC Block time is 3 seconds
60 (seconds) * 60 (minutes) * 24 (day) * 365 (days) = 31536000 (seconds per year) 31536000 / 3 = 10512000 (blocks per year on BSC)
Manual Review
Change blocksPerYear constant value to 10512000
uint256 public constant blocksPerYear = 10512000;
Other
#0 - c4-judge
2023-05-16T09:23:10Z
0xean marked the issue as duplicate of #559
#1 - c4-judge
2023-06-05T14:03:03Z
0xean marked the issue as satisfactory
#2 - c4-judge
2023-06-05T14:38:32Z
0xean changed the severity to 3 (High Risk)
🌟 Selected for report: fs0c
Also found by: 0xnev, BPZ, Brenzee, J4de, Team_Rocket, peanuts, rvierdiiev, yongskiws
192.105 USDC - $192.11
In Shortfall._startAuction function riskFundBalance (asset balance) is compared with incentivizedRiskFundBalance (USD Value), which could cause the if statement to initiate incorrect code.
In Shortfall._startAuction function incentivizedRiskFundBalance is calculated from poolBadDebt and poolBadDebt is calculated in a for loop, where all VToken.badDebt gets calculated accumulated as USD value
for (uint256 i; i < marketsCount; ++i) { uint256 marketBadDebt = vTokens[i].badDebt(); priceOracle.updatePrice(address(vTokens[i])); uint256 usdValue = (priceOracle.getUnderlyingPrice(address(vTokens[i])) * marketBadDebt) / 1e18; poolBadDebt = poolBadDebt + usdValue; auction.markets[i] = vTokens[i]; auction.marketDebt[vTokens[i]] = marketBadDebt; marketsDebt[i] = marketBadDebt; }
After that riskFundBalance gets fetched from riskFund.poolReserves function and incentivizedRiskFundBalance is calculated from poolBadDebt and both of these values are compared in the if statement.
uint256 riskFundBalance = riskFund.poolReserves(comptroller); uint256 remainingRiskFundBalance = riskFundBalance; uint256 incentivizedRiskFundBalance = poolBadDebt + ((poolBadDebt * incentiveBps) / MAX_BPS); if (incentivizedRiskFundBalance >= riskFundBalance) {
If we check RiskFund.swapPoolsAssets function, we see that poolReserves is the asset amount NOT the USD amount.
RiskFund.sol L:174-175
uint256 swappedTokens = _swapAsset(vToken, comptroller, amountsOutMin[i], paths[i]); poolReserves[comptroller] = poolReserves[comptroller] + swappedTokens;
This means that the asset amount gets compared to the USD amount, which is incorrect and the _startAuction function would not operate in the intended way.
Manual Review
Make sure to calculate riskFundBalance as USD value and compare it to incentivizedRiskFundBalance instead of riskFundBalance itself.
Invalid Validation
#0 - c4-judge
2023-05-18T10:20:42Z
0xean marked the issue as duplicate of #548
#1 - c4-judge
2023-05-31T16:01:48Z
0xean marked the issue as duplicate of #468
#2 - c4-judge
2023-06-05T14:17:31Z
0xean marked the issue as satisfactory