Platform: Code4rena
Start Date: 28/09/2023
Pot Size: $36,500 USDC
Total HM: 5
Participants: 115
Period: 6 days
Judge: 0xDjango
Total Solo HM: 1
Id: 290
League: ETH
Rank: 11/115
Findings: 2
Award: $661.42
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Brenzee
Also found by: 0xDetermination, 0xTheC0der, Breeje, SpicyMeatball, Testerbot, ast3ros, ether_sky, pep7siup, santipu_, sces60107, tapir
657.0509 USDC - $657.05
https://github.com/code-423n4/2023-09-venus/tree/main/contracts/Tokens/Prime/Prime.sol#L661
The impact of this vulnerability is significant. The Scores.calculateScore function expects the capital argument to have 1e18 decimal places. However, the affected line of code mistakenly scales the capital precision, which has underlying token's decimals, based on vToken decimals. Due to this incorrect scaling, certain markets may enjoy extremely large Prime rewards, while others may receive disproportionately smaller rewards. This issue affects the integrity of the protocol by causing an imbalance in reward distribution and potentially loss of funds due to mis-accounting.
The root cause of the vulnerability is that the capital argument in the _calculateScore function is incorrectly scaled based on the vToken decimals instead of the underlying decimals. Let's walk through the issue with the following scenario:
vUSDC market, which has 8 decimal places for vUSDC but 6 decimal places for USDC.vUSDC market with the expectation of enjoying boosted rewards.vToken decimals (8), Alice's capital is 100 times smaller than expected.On the other hand:
vETH market, which has 8 decimal places for vETH but 18 decimal places for ETH.vToken decimals.Manual Review
To address this vulnerability, it is recommended to correctly scale the capital argument in the _calculateScore function based on the decimals of the underlying token. The following adjustment should be made:
capital = capital * (10 ** (18 - IERC20(_getUnderlying(vToken)).decimals()))
This change will ensure that the capital is correctly scaled to match the 1e18 decimal places expected by the Scores.calculateScore function.
Decimal
#0 - c4-pre-sort
2023-10-04T23:26:04Z
0xRobocop marked the issue as duplicate of #588
#1 - c4-judge
2023-11-01T02:00:28Z
fatherGoose1 marked the issue as satisfactory
🌟 Selected for report: Bauchibred
Also found by: 0x3b, 0xDetermination, 0xMosh, 0xScourgedev, 0xTheC0der, 0xTiwa, 0xWaitress, 0xdice91, 0xfusion, 0xpiken, 0xprinc, 0xweb3boy, ArmedGoose, Aymen0909, Breeje, Brenzee, Daniel526, DavidGiladi, DeFiHackLabs, Flora, Fulum, HChang26, Hama, IceBear, J4X, Krace, KrisApostolov, Maroutis, Mirror, MohammedRizwan, Norah, PwnStars, SPYBOY, TangYuanShen, Testerbot, ThreeSigma, Tricko, al88nsk, alexweb3, ast3ros, berlin-101, bin2chen, blutorque, btk, d3e4, deth, e0d1n, ether_sky, ge6a, gkrastenov, glcanvas, hals, imare, inzinko, jkoppel, jnforja, joaovwfreire, josephdara, kutugu, lotux, lsaudit, mahdirostami, merlin, n1punp, nadin, neumo, nisedo, nobody2018, oakcobalt, orion, peanuts, pep7siup, pina, ptsanev, rokinot, rvierdiiev, said, santipu_, sashik_eth, seerether, squeaky_cactus, terrancrypt, tonisives, twicek, vagrant, xAriextz, y4y
4.3669 USDC - $4.37
https://github.com/code-423n4/2023-09-venus/tree/main/contracts/Tokens/Prime/Prime.sol#L200 https://github.com/code-423n4/2023-09-venus/tree/main/contracts/Tokens/Prime/Prime.sol#L623 https://github.com/code-423n4/2023-09-venus/blob/b11d9ef9db8237678567e66759003138f2368d23/contracts/Tokens/Prime/Prime.sol#L389 https://github.com/code-423n4/2023-09-venus/blob/b11d9ef9db8237678567e66759003138f2368d23/contracts/Tokens/Prime/Prime.sol#L607
Prime functionality lacks a crucial validation of user's position health factor. This omission allows accounts with insufficient funds (especially bad debtors) to continue enjoying Prime rewards, which can result in fund losses for the protocol and eligible users.
The root cause of the vulnerability is that the Prime functions such as _initializeMarkets, updateScores, accrueInterestAndUpdateScore and _accrueInterestAndUpdateScore functions lack overall checks for account shortfall conditions. Let's walk through the issue with the following scenario:
Alice is a Prime participant. However, due to market volatility, her position falls short and she is not able to repay the debt, making her a bad debtor. Depending on market conditions, the liquidation of Alice's position might be delayed for a period of time.
In the mean time, Alice could still call accrueInterestAndUpdateScore function to accrue the Prime rewards and update her score as the borrow interrest keeps increasing.
Since there are no mechanism to prevent Alice from enjoying the Prime rewards despite her shortfall condition, Alice continues to receive Prime rewards even though she owes funds to the protocol.
This situation can lead to a loss of funds for the protocol and other eligible users, as Alice may not have the intention to repay her debt or leave the Prime program.
Protocol has to go through VIP process to burn Alice's Prime token which is time consuming and is not ideal to handle situations like this.
Manual Review
To address this vulnerability, it is recommended to revise and implement checks for account shortfall conditions where the Prime scores are updated. If an account short-fallen, its Prime score should equate to 0, effectively eliminated from the program.
Invalid Validation
#0 - 0xRobocop
2023-10-06T21:01:29Z
Analysis
#1 - c4-pre-sort
2023-10-06T21:01:34Z
0xRobocop marked the issue as low quality report
#2 - c4-judge
2023-11-02T01:59:21Z
fatherGoose1 changed the severity to QA (Quality Assurance)
#3 - fatherGoose1
2023-11-02T01:59:46Z
Adding to QA as this does not directly affect the intended use of the Prime contract.