Lucene search

K
code423n4Code4renaCODE423N4:2021-04-BASEDLOANS-FINDINGS-ISSUES-33
HistoryMay 04, 2021 - 12:00 a.m.

Reward rates can be changed through flash borrows

2021-05-0400:00:00
Code4rena
github.com
5
flash borrow
reward manipulation
total borrows
market rates
admin-only
time-weighted borrowing
uniswap.

Handle

@cmichelio

Vulnerability details

Vulnerability Details

The rewards per market are proportional to their totalBorrows which can be changed by a large holder who deposits lots of collateral, takes out a huge borrow in the market, updates the rewards, and then unwinds the position.
They’ll only pay gas fees as the borrow / repay can happen in the same block.

The Comptroller.refreshCompSpeeds function only checks that the single transaction is called from an EOA, but miners (or anyone if a miner offers services like flash bundles for flashbots) can still run flash-loan-like attacks by first sending a borrow tx increasing the totalBorrows, then the refreshCompSpeeds transaction, and then the repay of the borrow, as miners have full control over the transaction order of the block.
The new rate will then persist until the next call to refreshCompSpeeds.

Impact

Attackers have an incentive to drive up the rewards in markets they are a large supplier/borrower in.
The increased rewards that the attacker receives are essentially stolen from other legitimate users.

Recommended Mitigation Steps

Make it an admin-only function or use a time-weighted total borrow system similar to Uniswap’s price oracles.


The text was updated successfully, but these errors were encountered:

All reactions