Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-07-TAPIOCA-FINDINGS-ISSUES-1597
HistoryAug 04, 2023 - 12:00 a.m.

There is no decrease for the share allowance from _addCollateral when share passed zero

2023-08-0400:00:00
Code4rena
github.com
1
vulnerability
addcollateral
allowanceborrow
borrow
decrease

6.9 Medium

AI Score

Confidence

Low

JSON

Lines of code

Vulnerability details

Impact

When calling _addCollateral, and if the share passed as zero, it is calculated based on the passed amount. However, this happens after allowanceBorrow was already called in addCollateral. So, deduction never occur for the share. Eventually, the borrow allowance never decreases. This allows a user (who has borrow allowance) to call addCollateral without borrow allowance limit set by the owner.

Proof of Concept

No deduction for the share allowance from _addCollateral() for from address:

    function _addCollateral(
        address from,
        address to,
        bool skim,
        uint256 amount,
        uint256 share
    ) internal {
        if (share == 0) {
            share = yieldBox.toShare(collateralId, amount, false);
        }
        userCollateralShare[to] += share;
        uint256 oldTotalCollateralShare = totalCollateralShare;
        totalCollateralShare = oldTotalCollateralShare + share;
        _addTokens(from, collateralId, share, oldTotalCollateralShare, skim);
        emit LogAddCollateral(skim ? address(yieldBox) : from, to, share);
    }

Code link

The share is calculated here:

        if (share == 0) {
            share = yieldBox.toShare(collateralId, amount, false);
        }
        userCollateralShare[to] += share;

but there is no decrease for the share from allowanceBorrow map afterwards (incase the amount > 0 and the share is 0).
We know it is already done in allowedBorrow modifier in _allowedBorrow() method but since the share was passed zero, it had no effect.

 allowanceBorrow[from][msg.sender] -= share;

Code link

Tools Used

Manual Review

Recommended Mitigation Steps

decrease the allowanceBorrow for the share after being calucalted in _addCollateral() method in case the share passed is zero.

//add this line in _addCollateral() after share being calculated only if share was passed zero.
 allowanceBorrow[from][msg.sender] -= share;

Assessed type

Other

The text was updated successfully, but these errors were encountered:

All reactions

6.9 Medium

AI Score

Confidence

Low

JSON