When calling _addCollateral, and if the share passed as zero, it is calculated based on the passed amount. However, this happens after allowanceBorrow was already called in addCollateral. So, deduction never occur for the share. Eventually, the borrow allowance never decreases. This allows a user (who has borrow allowance) to call addCollateral without borrow allowance limit set by the owner.
No deduction for the share allowance from _addCollateral() for from address:
function _addCollateral(
address from,
address to,
bool skim,
uint256 amount,
uint256 share
) internal {
if (share == 0) {
share = yieldBox.toShare(collateralId, amount, false);
}
userCollateralShare[to] += share;
uint256 oldTotalCollateralShare = totalCollateralShare;
totalCollateralShare = oldTotalCollateralShare + share;
_addTokens(from, collateralId, share, oldTotalCollateralShare, skim);
emit LogAddCollateral(skim ? address(yieldBox) : from, to, share);
}
The share is calculated here:
if (share == 0) {
share = yieldBox.toShare(collateralId, amount, false);
}
userCollateralShare[to] += share;
but there is no decrease for the share from allowanceBorrow map afterwards (incase the amount > 0 and the share is 0).
We know it is already done in allowedBorrow modifier in _allowedBorrow() method but since the share was passed zero, it had no effect.
allowanceBorrow[from][msg.sender] -= share;
Manual Review
decrease the allowanceBorrow for the share after being calucalted in _addCollateral() method in case the share passed is zero.
//add this line in _addCollateral() after share being calculated only if share was passed zero.
allowanceBorrow[from][msg.sender] -= share;
Other
The text was updated successfully, but these errors were encountered:
All reactions