Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

exchangeRate could be zero which allow a user to be solvent even if no collateral was added #1605

Open
code423n4 opened this issue Aug 4, 2023 · 3 comments
Open

exchangeRate could be zero which allow a user to be solvent even if no collateral was added #1605

code423n4 opened this issue Aug 4, 2023 · 3 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-316 grade-b Q-13 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/2286f80f928f41c8bc189d0657d74ba83286c668/contracts/markets/bigBang/BigBang.sol#L101

Vulnerability details

Impact

exchangeRate can be zero if updateExchangeRate() failed when calling init(), user then can borrow and be solvent even if the user is not solvent or for example didn't add any collateral. This is against how the protocol is intended to work.

Proof of Concept

In init(), updateExchangeRate() is being called to read value from oracle to set the state variable exchangeRate since it's zero and not initialized yet.

	updateExchangeRate();

Code link

basically the functiion updateExchangeRate() is trying to read the rate from oracle but if it fails it will just take the old rate

    function updateExchangeRate() public returns (bool updated, uint256 rate) {
        (updated, rate) = oracle.get("");


        if (updated) {
            require(rate > 0, "Market: invalid rate");
            exchangeRate = rate;
            emit LogExchangeRate(rate);
        } else {
            // Return the old rate if fetching wasn't successful
            rate = exchangeRate;
        }
    }

Code link

There is a possibility that exchangeRate might fail for the first time getting the rate from oracle thus. Thus, exchangeRate will take the old rate which is zero until updateExchangeRate() called again.

During this time, someone could borrow amount without being solvent. Although, this is an edge case, it is still possible. The protocol should simply set a default value for exchangeRate. or revert any impacted operation if exchangeRate. is still zero.

Tools Used

Manual Review

Recommended Mitigation Steps

Set a default value for exchangeRate.or revert any impacted operation (e.g. borrow) if exchangeRate. is still zero.

Assessed type

Other
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Aug 4, 2023
code423n4 added a commit that referenced this issue Aug 4, 2023
@code423n4
Koolex issue #1605
8aacdf4
@c4-pre-sort
Copy link

minhquanym marked the issue as duplicate of #316

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Sep 19, 2023
@c4-judge
Copy link

dmvt changed the severity to QA (Quality Assurance)

@c4-judge c4-judge added the QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax label Sep 19, 2023
@c4-judge
Copy link

dmvt marked the issue as grade-b

@C4-Staff C4-Staff reopened this Oct 10, 2023
@C4-Staff C4-Staff added the Q-13 label Oct 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-316 grade-b Q-13 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@code423n4 @c4-judge @c4-pre-sort @C4-Staff