Venus Protocol Isolated Pools - mussucal's results

Earn, Borrow & Lend on the #1 Decentralized Money Market on the BNB Chain

General Information

Platform: Code4rena

Start Date: 08/05/2023

Pot Size: $90,500 USDC

Total HM: 17

Participants: 102

Period: 7 days

Judge: 0xean

Total Solo HM: 4

Id: 236

League: ETH

Venus Protocol

Findings Distribution

Researcher Performance

Rank: 26/102

Findings: 1

Award: $732.00

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Venus Protocol

Findings Information

🌟 Selected for report: xuwinnie

Also found by: BoltzmannBrain, Udsen, mussucal

Labels

bug

2 (Med Risk)

satisfactory

duplicate-365

Awards

731.996 USDC - $732.00

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-05-venus/blob/8be784ed9752b80e6f1b8b781e2e6251748d0d7e/contracts/VToken.sol#L1026-L1032 https://github.com/code-423n4/2023-05-venus/blob/8be784ed9752b80e6f1b8b781e2e6251748d0d7e/contracts/Comptroller.sol#L449-L454 https://github.com/code-423n4/2023-05-venus/blob/8be784ed9752b80e6f1b8b781e2e6251748d0d7e/contracts/Comptroller.sol#L469-L472

Vulnerability details

Impact

In preLiquidateHook(), TooMuchRepay() reverts when it should not and may cause DoS.

Proof of Concept

File: VToken.sol Functions: liquidateBorrow(), _liquidateBorrow(), _liquidateBorrowFresh() It is not possible to know the exact repayAmount to be passed at the start in liquidateBorrow(). Hence, to completely liquidate an amount sufficiently greater than borrow amount is desired. Down the line, preLiquidateHook() is called with repayAmount as parameter. Inside the hook checks are there like (repayAmount > borrows) and (repayAmount > maxClose) which reverts with TooMuchRepay() each time.

Tools Used

Manual review.

Recommended Mitigation Steps

The actualRepayamount is calculated by calling _repayBorrowFresh().
Call to hook should be after actualRepayAmount calculation.
In preLiquidateHook() the actualRepayAmount should be passed as parameter rather than repayAmount.

Assessed type

Other

#0 - c4-judge
2023-05-18T02:35:01Z

0xean marked the issue as duplicate of #365

#1 - c4-judge
2023-06-05T14:11:57Z

0xean marked the issue as satisfactory

Venus Protocol Isolated Pools - mussucal's results

Earn, Borrow & Lend on the #1 Decentralized Money Market on the BNB Chain

General Information

Findings Distribution

Researcher Performance

External Links

[M-03] When preLiquidateHook() is called from VToken.liquidateBorrow(), the actualRepayAmount should be passed as parameter rather than repayAmount. - $732.00

Findings Information

Labels

Awards

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - c4-judge2023-05-18T02:35:01Z

#1 - c4-judge2023-06-05T14:11:57Z

#0 - c4-judge
2023-05-18T02:35:01Z

#1 - c4-judge
2023-06-05T14:11:57Z