Platform: Code4rena
Start Date: 07/08/2023
Pot Size: $36,500 USDC
Total HM: 11
Participants: 125
Period: 3 days
Judge: alcueca
Total Solo HM: 4
Id: 274
League: ETH
Rank: 116/125
Findings: 1
Award: $4.23
π Selected for report: 0
π Solo Findings: 0
π Selected for report: RED-LOTUS-REACH
Also found by: 0x3b, 0x4non, 0xCiphky, 0xDING99YA, 0xDetermination, 0xE1, 0xG0P1, 0xStalin, 0xWaitress, 0xbrett8571, 0xhacksmithh, 0xkazim, 0xmuxyz, 0xweb3boy, 14si2o_Flint, AlexCzm, Alhakista, Bube, Bughunter101, Deekshith99, Eeyore, Giorgio, HChang26, InAllHonesty, JP_Courses, KmanOfficial, MatricksDeCoder, Mike_Bello90, MrPotatoMagic, Naubit, QiuhaoLi, RHaO-sec, Raihan, Rolezn, SUPERMAN_I4G, Shubham, Silverskrrrt, Strausses, T1MOH, Topmark, Tripathi, Watermelon, _eperezok, aakansha, auditsea, audityourcontracts, ayden, carlos__alegre, castle_chain, cducrest, ch0bu, d23e, deadrxsezzz, deth, devival, erebus, fatherOfBlocks, halden, hassan-truscova, hpsb, hunter_w3b, imkapadia, immeas, jat, kaden, kaveyjoe, klau5, koxuan, kutugu, ladboy233, lanrebayode77, leasowillow, lsaudit, markus_ether, matrix_0wl, merlin, nemveer, ni8mare, nonseodion, oakcobalt, owadez, p_crypt0, pipidu83, piyushshukla, popular00, ppetrov, rjs, sandy, sl1, supervrijdag, tay054, thekmj, wahedtalash77, windhustler, zhaojie
4.2289 USDC - $4.23
If a lending market receives deposits before being whitelisted in the system, not only will the user be ineligible to earn rewards on those funds, but they will also be unable to withdraw the deposited funds.
If a lending market accepts deposits before it integrates with the LendingLedger, those initial deposits won't be tracked in the ledger. Once the lending market integrates with the LendingLedger and a user tries to withdraw, the ledger will see their balance as zero, even though they have funds in the lending market. This results in an underflow when trying to reduce their balance during a withdrawal, causing the require(updatedLenderBalance >= 0, "Lender balance underflow"); check to revert the transaction.
This would effectively lock the user's funds in the lending market. The user would be unable to withdraw even though they have a balance in the lending market, because as per the LendingLedger, their balance is zero.
Manual review
Before integrating a Lending Market, make sure that its balance is 0.
Invalid Validation
#0 - 141345
2023-08-12T07:03:51Z
Lending Market or user's error
at least user should check if the lending market is ready for deposit
QA might be more appropriate.
#1 - c4-sponsor
2023-08-16T14:19:30Z
OpenCoreCH marked the issue as sponsor acknowledged
#2 - c4-sponsor
2023-08-16T14:19:34Z
OpenCoreCH marked the issue as disagree with severity
#3 - alcueca
2023-08-24T06:31:55Z
As stated elsewhere, this finding relates to contracts that have not been implemented yet. Accepted as QA for the sponsor to include on the documentation of those implementing such contracts.
#4 - c4-judge
2023-08-24T06:32:02Z
alcueca changed the severity to QA (Quality Assurance)
#5 - c4-judge
2023-08-24T06:32:06Z
alcueca marked the issue as grade-b