This repository has been archived by the owner on May 26, 2023. It is now read-only.
0x52 - BlueBerryBank#withdrawLend will cause underlying token accounting error if soft/hard vault has withdraw fee #33
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
High
A valid High severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
0x52
high
BlueBerryBank#withdrawLend will cause underlying token accounting error if soft/hard vault has withdraw fee
Summary
Soft/hard vaults can have a withdraw fee. This takes a certain percentage from the user when they withdraw. The way that the token accounting works in BlueBerryBank#withdrawLend, it will only remove the amount returned by the hard/soft vault from pos.underlying amount. If there is a withdraw fee, underlying amount will not be decrease properly and the user will be left with phantom collateral that they can still use.
Vulnerability Detail
Both SoftVault and HardVault implement a withdraw fee. Here we see that withdrawAmount (the return value) is decreased by the fee amount.
The return value is stored as
wAmount
which is then subtracted frompos.underlyingAmount
the issue is that the withdraw fee has now caused a token accounting error forpos
. We see that the fee paid to the hard/soft vault is NOT properly removed frompos.underlyingAmount
. This leaves the user with phantom underlying which doesn't actually exist but that the user can use to take out loans.Exmaple:
For simplicity let's say that 1 share = 1 underlying and the soft/hard vault has a fee of 5%. Imagine a user deposits 100 underlying to receive 100 shares. Now the user withdraws their 100 shares while the hard/soft vault has a withdraw. This burns 100 shares and softVault/hardVault.withdraw returns 95 (100 - 5). During the token accounting pos.underlyingVaultShares are decreased to 0 but pos.underlyingAmount is still equal to 5 (100 - 95).
This accounting error is highly problematic because collateralValue uses pos.underlyingAmount to determine the value of collateral for liquidation purposes. This allows the user to take on more debt than they should.
Impact
User is left with collateral that isn't real but that can be used to take out a loan
Code Snippet
https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/BlueBerryBank.sol#L669-L704
Tool used
Manual Review
Recommendation
HardVault/SoftVault#withdraw
should also return the fee paid to the vault, so that it can be accounted for.The text was updated successfully, but these errors were encountered: