Back to MiloTruck's contests

Inverse Finance contest - MiloTruck's results

Rethink the way you borrow.

General Information

Platform: Code4rena

Start Date: 25/10/2022

Pot Size: $50,000 USDC

Total HM: 18

Participants: 127

Period: 5 days

Judge: 0xean

Total Solo HM: 9

Id: 175

League: ETH

Inverse Finance

Findings Distribution

Researcher Performance

Rank: 38/127

Findings: 1

Award: $156.27

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryInverse Finance

Findings Information

🌟 Selected for report: rbserver

Also found by: 0xRobocop, Ch_301, ElKu, Jeiwan, MiloTruck, Picodes, sam_cunningham

Labels

bug
2 (Med Risk)
satisfactory
duplicate-583

Awards

156.2673 USDC - $156.27

External Links

Link to GitHub issue

Lines of code

https://github.com/InverseFinance/FiRM-code4rena/blob/main/src/Market.sol#L499-L512

Vulnerability details

Impact

In both DolaBorrowingRights and Market contracts, the function forceReplenish() in Market is the only way to ensure a user pays his DBR deficit. Thus, if users repay their debt before forceReplenish() is ever called, they will avoid paying their DBR deficit.

Proof of Concept

The function forceReplenish() in the Market contract is as shown:

src/Market.sol:
 499:        function forceReplenish(address user, uint amount) public {
 500:            uint deficit = dbr.deficitOf(user);
 501:            require(deficit > 0, "No DBR deficit");
 502:            require(deficit >= amount, "Amount > deficit");
 503:            uint replenishmentCost = amount * dbr.replenishmentPriceBps() / 10000;
 504:            uint replenisherReward = replenishmentCost * replenishmentIncentiveBps / 10000;
 505:            debts[user] += replenishmentCost;
 506:            uint collateralValue = getCollateralValueInternal(user);
 507:            require(collateralValue >= debts[user], "Exceeded collateral value");
 508:            totalDebt += replenishmentCost;
 509:            dbr.onForceReplenish(user, amount);
 510:            dola.transfer(msg.sender, replenisherReward);
 511:            emit ForceReplenish(user, msg.sender, amount, replenishmentCost, replenisherReward);
 512:        }

The function mints DBR for the user to restore their DBR deficit to 0, while adding this cost (known as replenishmentCost) to the users DOLA debt (line 505):

debts[user] += replenishmentCost;

However, as the contract relies on providing incentives for other user to call this function, it is not guranteed that this function will ever be called before a user fully repays their debt and withdraws all their collateral. After that, calling forceReplenish() to impose DOLA debt would have no effect on the user as no collateral is at stake for him.

In the withdrawInternal() function, call forceReplenish() before calculating the amount of collateral users are able to withdraw. This would force users to pay their DBR deficit before withdrawing their collateral.

#0 - c4-judge

2022-11-06T14:57:15Z

0xean marked the issue as duplicate

#1 - Simon-Busch

2022-12-05T15:38:22Z

Issue marked as satisfactory as requested by 0xean

#2 - c4-judge

2022-12-07T08:16:07Z

Simon-Busch marked the issue as duplicate of #583

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter