Lines of code
<https://github.com/code-423n4/2023-12-initcapital/blob/main/contracts/lending_pool/LendingPool.sol#L125>
Users might not always be able to burn() or borrow() due to being frontrunned by other borrow or burn calls, potentially in a malicious manner so funds donβt leave the LendingPool.
This attack could happen frequently because the health of a position is given by all the collaterals in different lending pools, so it is likely that users borrow more on a certain pool, making this attack possible.
Borrowing and depositing in the same block doesnβt trigger any feed, so attackers could move their funds around to block usersβ burn/borrow.
function burn(address _receiver) external onlyCore accrue returns (uint amt) {
...
_require(amt <= _cash, Errors.NOT_ENOUGH_CASH);
...
}
function borrow(address _receiver, uint _amt) external onlyCore accrue returns (uint shares) {
_require(_amt <= cash, Errors.NOT_ENOUGH_CASH);
...
}
A simple POC was built in Foundry showing the issue:
function test_POC_FrontrunBurn() public {
uint256 _wbtcAmount = 3e8; // 3 BTC
uint256 _wethAmount = 3e18; // 3 WETH
address _user = makeAddr("user");
address _attacker = makeAddr("attacker");
_mintPool(_user, WBTC, _wbtcAmount);
_mintPool(_attacker, WBTC, _wbtcAmount);
_mintPool(_attacker, WETH, _wethAmount);
vm.prank(address(initCore));
lendingPools[WBTC].borrow(_attacker, _wbtcAmount);
vm.prank(address(initCore));
vm.expectRevert();
lendingPools[WBTC].borrow(_user, _wbtcAmount + 1);
}
Vscode, Foundry
Instead of reverting, the amount could be cropped to the available. This alone would help significantly as the missing liquidity could be very small but still make the transaction revert.
Additionally, a scheduling mechanism could be implemented to allow users to withdraw whenever there is liquidity, later.
On top of this, a fixed borrow fee could be added to stop upsers from borrowing and depositing atomically, which would decrease the likelihood of attackers moving funds around maliciously.
Under/Overflow
The text was updated successfully, but these errors were encountered:
All reactions