Venus Protocol Isolated Pools - yongskiws's results

Earn, Borrow & Lend on the #1 Decentralized Money Market on the BNB Chain

General Information

Platform: Code4rena

Start Date: 08/05/2023

Pot Size: $90,500 USDC

Total HM: 17

Participants: 102

Period: 7 days

Judge: 0xean

Total Solo HM: 4

Id: 236

League: ETH

Venus Protocol

Findings Distribution

Researcher Performance

Rank: 47/102

Findings: 1

Award: $192.11

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Venus Protocol

Findings Information

🌟 Selected for report: fs0c

Also found by: 0xnev, BPZ, Brenzee, J4de, Team_Rocket, peanuts, rvierdiiev, yongskiws

Labels

bug

2 (Med Risk)

downgraded by judge

satisfactory

duplicate-222

Awards

192.105 USDC - $192.11

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-05-venus/blob/main/contracts/Shortfall/Shortfall.sol#L359-L434

Vulnerability details

Impact

When calculating _startAuction uint256 usdValue in RiskFund, Auction state divides the value of each market in the vToken list (in token list precision). This skew is fine for most tokens but will cause problems with certain token pairs.

https://github.com/code-423n4/2023-05-venus/blob/main/contracts/Shortfall/Shortfall.sol#L359-L434

Proof of Concept

When calculating the user's usdValue ratio, the result is that the list of certain tokens will be completely broken because of this.

Imagine a pair of tokens like USDC and SHIB. USDC has a token precision of 6 and SHIB has 18. If a user has a list balance of 100,001 SHIB (100.001e18) and a loan of 1 USDC (1e6):

1e6 * 1e18 / 100.001e18 = 0

There are two problems with this. First, most of these tokens will not work. Another issue is that because the usdValue user returns 0, there are circumstances where some token lists are impossible to enumerate by violating the protocol's key invariant.

Any token with very high or very low precision will suffer the consequences.

https://github.com/code-423n4/2023-05-venus/blob/8be784ed9752b80e6f1b8b781e2e6251748d0d7e/contracts/Shortfall/Shortfall.sol#L393

Tools Used

Manual Review

Recommended Mitigation Steps

Depending on the precision of each Token, the ratio is calculated dynamically

Assessed type

Decimal

#0 - 0xean
2023-05-17T16:33:49Z

The warden doesn't show how this actually impacts the protocol more than just be a loss of what amounts to dust (< 1 USD of value). Will downgrade and leave open for sponsor comment prior to moving to QA

#1 - c4-judge
2023-05-17T16:33:59Z

0xean changed the severity to 2 (Med Risk)

#2 - c4-judge
2023-05-17T16:45:04Z

0xean marked the issue as duplicate of #468

#3 - c4-judge
2023-06-05T13:58:10Z

0xean marked the issue as satisfactory

Venus Protocol Isolated Pools - yongskiws's results

Earn, Borrow & Lend on the #1 Decentralized Money Market on the BNB Chain

General Information

Findings Distribution

Researcher Performance

External Links

[M-09] Precision differences when calculating the _startAuction of funds accumulated in RiskFund - $192.11

Findings Information

Labels

Awards

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - 0xean2023-05-17T16:33:49Z

#1 - c4-judge2023-05-17T16:33:59Z

#2 - c4-judge2023-05-17T16:45:04Z

#3 - c4-judge2023-06-05T13:58:10Z

#0 - 0xean
2023-05-17T16:33:49Z

#1 - c4-judge
2023-05-17T16:33:59Z

#2 - c4-judge
2023-05-17T16:45:04Z

#3 - c4-judge
2023-06-05T13:58:10Z