Light ModeLight
Light ModeDark

One Bug Per Day

One H/M every day from top Wardens

Checkmark

Join over 445 wardens!

Checkmark

Receive the email at any hour!

Ad

executeYieldBorrowERC20() checking yieldCap wrong

mediumCode4rena

Lines of code

https://github.com/code-423n4/2024-07-benddao/blob/117ef61967d4b318fc65170061c9577e674fffa1/src/libraries/logic/YieldLogic.sol#L51

Vulnerability details

Vulnerability details

in executeYieldBorrowERC20() We will check whether stakerAddr exceeds yieldCap

solidity
  function executeYieldBorrowERC20(InputTypes.ExecuteYieldBorrowERC20Params memory params) internal {
...
    ValidateLogic.validateYieldBorrowERC20(params, poolData, assetData, groupData);

@>  vars.totalSupply = VaultLogic.erc20GetTotalCrossSupply(assetData, groupData.borrowIndex);

    // check asset level yield cap limit
    vars.totalBorrow = VaultLogic.erc20GetTotalCrossBorrowInGroup(groupData, groupData.borrowIndex);
    require(
      (vars.totalBorrow + params.amount) <= vars.totalSupply.percentMul(assetData.yieldCap),
      Errors.YIELD_EXCEED_ASSET_CAP_LIMIT
    );

    // check staker level yield cap limit
    vars.stakerBorrow = VaultLogic.erc20GetUserCrossBorrowInGroup(groupData, vars.stakerAddr, groupData.borrowIndex);
    require(
      (vars.stakerBorrow + params.amount) <= vars.totalSupply.percentMul(ymData.yieldCap),
      Errors.YIELD_EXCEED_STAKER_CAP_LIMIT
    );

The code above, calculating totalSupply using totalSupply = totalScaledCrossSupply * groupData.borrowIndex to calculate supply is wrong!

The correct way to calculate supply is to use: assetData.supplyIndex.

Impact

With an incorrect value for totalSupply, the check for yieldCap will be inaccurate, leading to a security risk

Recommended Mitigation

diff
  function executeYieldBorrowERC20(InputTypes.ExecuteYieldBorrowERC20Params memory params) internal {
...
    ValidateLogic.validateYieldBorrowERC20(params, poolData, assetData, groupData);

-   vars.totalSupply = VaultLogic.erc20GetTotalCrossSupply(assetData, groupData.borrowIndex);
+   vars.totalSupply = VaultLogic.erc20GetTotalCrossSupply(assetData, assetData.supplyIndex);

    // check asset level yield cap limit
    vars.totalBorrow = VaultLogic.erc20GetTotalCrossBorrowInGroup(groupData, groupData.borrowIndex);

Assessed type

Context

OneBugPerDay.com
To all the whitehats, we salute you

Legal

Advertise with usPrivacy PolicyTerms of ServiceCookie PolicyAcceptable Use

Unsubscribe

Unsubscribe from all emailsConfirm unsubscribe via code

Subscribe

Subscribe via formConfirm subscription via codeChange your Preferences
Made by Alex The EntreprenerdVulnerabilities database by TinTinWeb