Venus Prime - e0d1n's results

Lines of code

https://github.com/code-423n4/2023-09-venus/blob/main/contracts/Tokens/Prime/PrimeLiquidityProvider.sol#L216-L225

Vulnerability details

Summary

The sweepToken function lacks a crucial check to determine whether a token is being tracked and has pending accruals, which can lead to discrepancies in the tokenAmountAccrued mapping and subsequent issues in the accrueTokens and releaseFunds functions.

Vulnerability Details

The sweepToken function allows the contract owner to transfer a specified amount of any token from the contract to another address. However, it does not verify whether the token is being tracked or has pending accruals by the contract. Consequently, if sweepToken is used to withdraw tokens that are pending to be accrued, it can create a situation where the tokenAmountAccrued mapping reflects an amount greater than the actual token balance of the contract. This discrepancy can lead to an underflow in the accrueTokens function and cause the releaseFunds function to revert due to insufficient balance.

function sweepToken(IERC20Upgradeable token_, address to_, uint256 amount_) external onlyOwner {
    uint256 balance = token_.balanceOf(address(this));
    if (amount_ > balance) {
        revert InsufficientBalance(amount_, balance);
    }

    emit SweepToken(address(token_), to_, amount_);

    token_.safeTransfer(to_, amount_);
}

Impact

The absence of a check for tracked tokens in the sweepToken function can disrupt the normal operation of the contract by creating a mismatch between the actual token balance and the tokenAmountAccrued mapping. This can lead to underflows in arithmetic operations within the accrueTokens function and reverts in the releaseFunds function due to insufficient funds, thereby potentially locking funds and halting the normal operation of the contract.

Proof of Concept

If sweepToken is utilised to withdraw tokens that are being tracked and have pending accruals, the actual balance of the contract for that token will be reduced without updating the tokenAmountAccrued mapping. This will create a situation where tokenAmountAccrued[token_] is greater than the actual balance, causing the subtraction in accrueTokens to underflow and the ERC20 transfer in releaseFunds to revert due to insufficient funds.

Tools Used

Manual analysis was performed.

Recommended Mitigation Steps

Introduce a check in the sweepToken function to prevent the withdrawal of tokens that are being tracked and have pending accruals. This could be achieved by maintaining a mapping of tracked tokens and checking against it in the sweepToken function. Alternatively, directly check whether tokenAmountAccrued[token_] is greater than 0, and if it is, revert the transaction to prevent the sweeping of tokens that are pending accrual.

Example mitigation in sweepToken function:

function sweepToken(IERC20Upgradeable token_, address to_, uint256 amount_) external onlyOwner {
    require(tokenAmountAccrued[address(token_)] == 0, "Cannot sweep tracked token with pending accruals");

    uint256 balance = token_.balanceOf(address(this));
    require(amount_ <= balance, "Insufficient balance");

    emit SweepToken(address(token_), to_, amount_);

    token_.safeTransfer(to_, amount_);
}

This mitigation ensures that tokens with pending accruals cannot be swept, thereby preventing the described vulnerability. Ensure to thoroughly test the contract after implementing changes to validate that the solution works as intended and does not introduce new issues.

Assessed type

Invalid Validation