_pendingInterest function checks strict equality
Summary
The function pendingInterest in the smart contract LendingVault has a potential vulnerability related to the use of strict equality in the line totalAvailableAsset == 0. This can be exploited by attackers to manipulate the behavior of the contract.
Vulnerability Details
The vulnerability in the code arises from the use of strict equality (==) to compare the value of totalAvailableAsset_ with zero in the following line:
Ln 459 in lendingVault.sol:
uint256 floating = totalAvailableAsset == 0 ? 0 : totalAvailableAsset_ - assetAmt;
Impact
Using strict equality to determine if an account has enough assets can be dangerous because it may not account for very small discrepancies in the value due to rounding errors or other factors. Attackers could potentially manipulate this condition to exploit the contract.
Tools Used
Static analysis + Manual inspection
Recommendations
To address this vulnerability, it is recommended to avoid using strict equality to determine whether an account has enough assets. Instead, consider using inequality comparisons with a small threshold to account for rounding errors or other factors.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.