Back to dacian's contests

Venus Protocol Isolated Pools - dacian's results

Earn, Borrow & Lend on the #1 Decentralized Money Market on the BNB Chain

General Information

Platform: Code4rena

Start Date: 08/05/2023

Pot Size: $90,500 USDC

Total HM: 17

Participants: 102

Period: 7 days

Judge: 0xean

Total Solo HM: 4

Id: 236

League: ETH

Venus Protocol

Findings Distribution

Researcher Performance

Rank: 15/102

Findings: 2

Award: $1,008.22

🌟 Selected for report: 1

πŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryVenus Protocol

Findings Information

🌟 Selected for report: dacian

Also found by: Co0nan, SaeedAlipoor01988, nadin

Labels

bug
2 (Med Risk)
disagree with severity
primary issue
satisfactory
selected for report
edited-by-warden
M-15

Awards

951.5947 USDC - $951.59

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-05-venus/blob/main/contracts/VToken.sol#L695-L696

Vulnerability details

Impact

Borrow rates are calculated dynamically and VToken.accrueInterest() reverts if the calculated rate is greater than a hard-coded maximum. As accrueInterest() is called by most VToken functions, this state causes a major DoS.

Proof of Concept

VToken hard-codes the maximum borrow rate and accrueInterest() reverts if the dynamically calculated rate is greater than the hard-coded value.

The actual calculation is dynamic [1, 2] and takes no notice of the hard-coded cap, so it is very possible that this state will manifest, causing a major DoS due to most VToken functions calling accrueInterest() and accrueInterest() reverting.

Tools Used

Manual review

Change VToken.accrueInterest() to not revert in this case but simply to set borrowRateMantissa = borrowRateMaxMantissa if the dynamically calculated value would be greater than the hard-coded max. This would:

  1. allow execution to continue operating with the system-allowed maximum borrow rate, allowing all functionality that depends upon accrueInterest() to continue as normal,

  2. allow borrowRateMantissa to be naturally set to the dynamically calculated rate as soon as that rate becomes less than the hard-coded max.

Assessed type

DoS

#0 - c4-sponsor

2023-05-23T20:18:03Z

chechu marked the issue as disagree with severity

#1 - chechu

2023-05-23T20:18:10Z

We could deploy a new implementation of the VToken contract, with a higher maximum, and fix the lock. Via VIP, with the votes from the community

#2 - 0xean

2023-05-31T00:19:39Z

Upgrading a contract does not mitigate that their would be an impact to the protocol, so I think this does qualify as M

#3 - c4-judge

2023-05-31T00:53:51Z

0xean marked the issue as duplicate of #110

#4 - c4-judge

2023-06-05T14:00:33Z

0xean marked the issue as satisfactory

#5 - c4-judge

2023-06-05T17:02:31Z

0xean marked the issue as selected for report

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter