Revert Lend - befree3x's results

Lines of code

https://github.com/code-423n4/2024-03-revert-lend/blob/435b054f9ad2404173f36f0f74a5096c894b12b7/src/V3Vault.sol#L906

Vulnerability details

[M-1] V3Vault::_deposit use a wrong condition to check for the Global Lend Limit

Vulnerability Details

In the V3Vault::_deposit function, the following condition is used to check if the total supply of the Vault does not exceed the global lend limit.

....
       if (totalSupply() > globalLendLimit) {
           revert GlobalLendLimit();
       }
....

However, globalLendLimit represents the total value that can be lent out in terms of underlying assets, while totalSupply() returns the total number of pool tokens (i.e. rTokens). As a result, this comparison is incorrect as they are not using the same unit of value.

Impact

As mentioned in the white paper, Section 2.1:

Initially, rTokens will have a 1-to-1 exchange rate with the deposited asset, but over time, as interest accrues, their value appreciates, yielding more than 1-to-1 upon redemption

As a result, there will be a difference in value between the rTokens and the underlying asset when there are more and more exchanges. This may in some cases allow a user to deposit assets even if it breaks the global lend limit safeguard.

Tools Used

Manual review.

Recommended Mitigation Steps

It's recommended to convert the total supply of shares (i.e. rTokens) back into the underlying assets, reflecting the current value of those shares within the vault before comparing it with the global lend limit.

Please consider to make the following change to the function _deposit:

....
-       if (totalSupply() > globalLendLimit) {
-           revert GlobalLendLimit();
-       }
+       if (_convertToAssets(totalSupply(), newLendExchangeRateX96, Math.Rounding.Up) >= globalLendLimit) {
+           revert GlobalLendLimit();
+       }
....

Assessed type

Invalid Validation