This repository has been archived by the owner on May 26, 2023. It is now read-only.
obront - Users can get around MaxLTV because of lack of strategyId validation #129
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
High
A valid High severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
obront
high
Users can get around MaxLTV because of lack of strategyId validation
Summary
When a user withdraws some of their underlying token, there is a check to ensure they still meet the Max LTV requirements. However, they are able to arbitrarily enter any
strategyId
that they would like for this check, which could allow them to exceed the LTV for their real strategy while passing the approval.Vulnerability Detail
When a user calls
IchiVaultSpell.sol#reducePosition()
, it removes some of their underlying token from the vault, increasing the LTV of any loans they have taken.As a result, the
_validateMaxLTV(strategyId)
function is called to ensure they remain compliant with their strategy's specified LTV:To summarize, this check:
underlyingTokenValue * maxLTV > debtValue
But there is no check to ensure that this
strategyId
value corresponds to the strategy the user is actually invested in, as we can see thereducePosition()
function:Here is a quick proof of concept to explain the risk:
maxLTV[911][DAI] = 2e5
)maxLTV[411][DAI] = 4e5
)reducePosition()
, withdrawing 1600 DAI and entering411
as the strategyId._validateMaxLTV
check will happen onstrategyId = 411
, and will pass, but the result will be that the user now has only 400 DAI of underlying collateral protecting $2000 USD worth of the risky strategy, violating the LTV.Impact
Users can get around the specific LTVs and create significantly higher leverage bets than the protocol has allowed. This could cause the protocol to get underwater, as the high leverage combined with risky assets could lead to dramatic price swings without adequate time for the liquidation mechanism to successfully protect solvency.
Code Snippet
https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/spell/IchiVaultSpell.sol#L266-L274
https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/spell/IchiVaultSpell.sol#L101-L113
Tool used
Manual Review
Recommendation
Since the collateral a position holds will always be the vault token of the strategy they have used, you can validate the
strategyId
against the user's collateral, as follows:The text was updated successfully, but these errors were encountered: