Updated getCashPrior()
function returns incorrect amount of funds owned by the protocol.
getCashPrior()
function is changed in order to not have an impact on the exchange rate with the update.
Current version:
Updated version
This causes functions relying solely on getCashPrior()
without using totalBorrows
will receive incorrect data, leading to those functions not reverting when they should. Namely these 3 functions are: borrowFresh(), _reduceReservesFresh() and redeemFresh()
These functions have the following if check to see if the protocol has enough funds to support the transaction.
However after fixUser()
calls, in an example scenario where a user calls redeemFresh()
with amount of tokens that exceeds the tokens protocol has, updated getCashPrior()
will return a uint bigger than the amount of tokens the protocol has. This means that the if check here will be bypassed when it should be returning the error message provided in this function. In this scenario the function would revert at the following external call and receive the wrong error message.
This vulnerability causes user’s to get the wrong error message on why their transaction has failed, shows the wrong amount of tokens owned by the protocol until the badDebt
is paid. This can cause bigger issues on the front-end systems. Which is why this is a low impact vulnerability.
Manual review.
borrowFresh(), _reduceReservesFresh() and redeemFresh()
should be updated to read
instead of getCashPrior()
function.
A better solution would be implementing a new function to be used in exchange rate maths that includes badDebt
and leaving getCashPrior()
as it is.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.