Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Denial of Service in Debt Repayment Due to Incorrect onBehalfOf Parameter Handling

theirrationalone

Summary

The LendingPool contract provides two repayment functions: one for users repaying their own debt via repay, and another for repaying on behalf of another user via repayOnBehalf. According to the NatSpec documentation, if the onBehalfOf parameter is set to address(0), the repayment should default to repaying the caller's own debt. However, both repayOnBehalf and the internal _repay function enforce a check that reverts if onBehalfOf is zero. This discrepancy creates a denial-of-service (DoS) vulnerability, breaking the intended functionality and preventing users from using the shortcut to repay their own debt via the on-behalf mechanism.

Vulnerability Details

How It Begins

Intended Functionality:
- The NatSpec comments for _repay state:
  
  If onBehalfOf is set to address(0), the function defaults to repaying the caller's own debt.
- This allows users a convenient way to call repayOnBehalf with a zero address to indicate self-repayment.
Current Implementation:
- Both repayOnBehalf and _repay check if onBehalfOf is the zero address and revert with AddressCannotBeZero().
- This check prevents the intended defaulting behavior, effectively causing a denial of service when a caller attempts to use address(0).

Code Excerpts

Repay Functions in LendingPool:

/**

* @notice Allows a user to repay their own borrowed reserve assets

* @param amount The amount to repay

function repay(uint256 amount) external nonReentrant whenNotPaused onlyValidAmount(amount) {

_repay(amount, msg.sender);

}

/**

* @notice Allows a user to repay borrowed reserve assets on behalf of another user

* @param amount The amount to repay

* @param onBehalfOf The address of the user whose debt is being repaid

function repayOnBehalf(uint256 amount, address onBehalfOf)

external

nonReentrant

whenNotPaused

onlyValidAmount(amount)

{

if (!canPaybackDebt) revert PaybackDebtDisabled();

@> if (onBehalfOf == address(0)) revert AddressCannotBeZero();

_repay(amount, onBehalfOf);

}

/**

* @notice Internal function to repay borrowed reserve assets

* @param amount The amount to repay

* @param onBehalfOf The address of the user whose debt is being repaid. If address(0), msg.sender's debt is repaid.

* @dev This function allows users to repay their own debt or the debt of another user.

* The caller (msg.sender) provides the funds for repayment in both cases.

* If onBehalfOf is set to address(0), the function defaults to repaying the caller's own debt.

function _repay(uint256 amount, address onBehalfOf) internal {

if (amount == 0) revert InvalidAmount();

// @info: should not revert instead set onBehalfOf to msg.sender

@> if (onBehalfOf == address(0)) revert AddressCannotBeZero();

UserData storage user = userData[onBehalfOf];

// Update reserve state before repayment

ReserveLibrary.updateReserveState(reserve, rateData);

// Calculate the user's debt (for the onBehalfOf address)

uint256 userDebt = IDebtToken(reserve.reserveDebtTokenAddress).balanceOf(onBehalfOf);

uint256 userScaledDebt = userDebt.rayDiv(reserve.usageIndex);

// If amount is greater than userDebt, cap it at userDebt

uint256 actualRepayAmount = amount > userScaledDebt ? userScaledDebt : amount;

uint256 scaledAmount = actualRepayAmount.rayDiv(reserve.usageIndex);

// Burn DebtTokens from the user whose debt is being repaid (onBehalfOf)

// is not actualRepayAmount because we want to allow paying extra dust and we will then cap there

(uint256 amountScaled, uint256 newTotalSupply, uint256 amountBurned, uint256 balanceIncrease) =

IDebtToken(reserve.reserveDebtTokenAddress).burn(onBehalfOf, amount, reserve.usageIndex);

// Transfer reserve assets from the caller (msg.sender) to the reserve

IERC20(reserve.reserveAssetAddress).safeTransferFrom(msg.sender, reserve.reserveRTokenAddress, amountScaled);

reserve.totalUsage = newTotalSupply;

user.scaledDebtBalance -= amountBurned;

// Update liquidity and interest rates

ReserveLibrary.updateInterestRatesAndLiquidity(reserve, rateData, amountScaled, 0);

emit Repay(msg.sender, onBehalfOf, actualRepayAmount);

}

Proof of Concept

Scenario Example

Setup:
- Alice deposits reserve assets and mints an NFT which she then deposits as collateral.
- Alice borrows an amount (e.g., 900e18) against her collateral.
Repayment Attempt:
- To repay her own debt using the repayOnBehalf function, Alice attempts to call:
  lendingPool.repayOnBehalf(500e18, address(0));
- Instead of defaulting to msg.sender (Alice), the function reverts with AddressCannotBeZero().
Result:
- The intended self-repayment functionality is broken, denying Alice the ability to repay her debt conveniently.
- This creates a DoS condition where users cannot repay their own debt using the on-behalf mechanism when passing a zero address.

Test Suite Code

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.19;

import {Test, console} from "forge-std/Test.sol";

import {StabilityPool} from "../src/core/pools/StabilityPool/StabilityPool.sol";

import {LendingPool} from "../src/core/pools/LendingPool/LendingPool.sol";

import {DEToken} from "../src/core/tokens/DEToken.sol";

import {RToken} from "../src/core/tokens/RToken.sol";

import {DebtToken} from "../src/core/tokens/DebtToken.sol";

import {RAACToken} from "../src/core/tokens/RAACToken.sol";

import {RAACMinter} from "../src/core/minters/RAACMinter/RAACMinter.sol";

import {RAACHousePrices} from "../src/core/primitives/RAACHousePrices.sol";

import {RAACNFT} from "../src/core/tokens/RAACNFT.sol";

import {CurveCrvUSDVaultMock} from "./mocks/CurveCrvUSDVaultMock.m.sol";

import {crvUSDToken} from "../src/mocks/core/tokens/crvUSDToken.sol";

import {ERC20Mock} from "../src/mocks/core/tokens/ERC20Mock.sol";

import {ILendingPool} from "../src/interfaces/core/pools/LendingPool/ILendingPool.sol";

import {PercentageMath} from "../src/libraries/math/PercentageMath.sol";

import {WadRayMath} from "../src/libraries/math/WadRayMath.sol";

contract PoolsTest is Test {

using PercentageMath for uint256;

using WadRayMath for uint256;

// contracts

StabilityPool stabilityPool;

LendingPool lendingPool;

DEToken deToken;

RToken rToken;

DebtToken debtToken;

RAACToken raacToken;

RAACMinter raacMinter;

RAACHousePrices raacHousePrices;

RAACNFT raacNft;

CurveCrvUSDVaultMock curveCrvUsdVault;

crvUSDToken crvUsdToken;

ERC20Mock erc20Mock;

// owners

address STABILITY_POOL_OWNER = makeAddr("STABILITY_POOL_OWNER");

address LENDING_POOL_OWNER = makeAddr("LENDING_POOL_OWNER");

address DETOKEN_OWNER = makeAddr("DETOKEN_OWNER");

address RTOKEN_OWNER = makeAddr("RTOKEN_OWNER");

address DEBT_TOKEN_OWNER = makeAddr("DEBT_TOKEN_OWNER");

address RAAC_TOKEN_OWNER = makeAddr("RAAC_TOKEN_OWNER");

address RAAC_MINTER_DUMMY = makeAddr("RAAC_MINTER_DUMMY");

address RAAC_HOUSE_PRICES_OWNER = makeAddr("RAAC_HOUSE_PRICES_OWNER");

address RAAC_HOUSE_PRICES_ORACLE = makeAddr("RAAC_HOUSE_PRICES_ORACLE");

address CRV_USD_TOKEN_OWENR = makeAddr("CRV_USD_TOKEN_OWENR");

address CURVE_CRV_USD_VAULT_OWENR = makeAddr("CURVE_CRV_USD_VAULT_OWENR");

address ERC20_MOCK_TOKEN_OWNER = makeAddr("ERC20_MOCK_TOKEN_OWNER");

address RAAC_NFT_TOKEN_OWNER = makeAddr("RAAC_NFT_TOKEN_OWNER");

address RAAC_MINTER_OWNER = makeAddr("RAAC_MINTER_OWNER");

address RAAC_OWNER = makeAddr("RAAC_OWNER");

// users

address ALICE = makeAddr("ALICE");

address BOB = makeAddr("BOB");

address CHARLIE = makeAddr("CHARLIE");

address DEVIL = makeAddr("DEVIL");

// managers

address MANAGER_1 = makeAddr("MANAGER_1");

address MANAGER_2 = makeAddr("MANAGER_2");

address MANAGER_3 = makeAddr("MANAGER_3");

address MANAGER_4 = makeAddr("MANAGER_4");

address MANAGER_5 = makeAddr("MANAGER_5");

address MANAGER_6 = makeAddr("MANAGER_6");

address MANAGER_7 = makeAddr("MANAGER_7");

address MANAGER_8 = makeAddr("MANAGER_8");

address MANAGER_9 = makeAddr("MANAGER_9");

address MANAGER_10 = makeAddr("MANAGER_10");

uint256 initialPrimeRate = 5e27;

uint256 initialRaacSwapTaxRateInBps = 200; // 2%, 10000 - 100%

uint256 initialRaacBurnTaxRateInBps = 150; // 1.5%, 10000 - 100%

function setUp() public {

vm.warp(block.timestamp + 1 days + 1);

vm.startPrank(CRV_USD_TOKEN_OWENR);

crvUsdToken = new crvUSDToken(CRV_USD_TOKEN_OWENR);

vm.stopPrank();

vm.startPrank(CURVE_CRV_USD_VAULT_OWENR);

curveCrvUsdVault = new CurveCrvUSDVaultMock(address(crvUsdToken), CURVE_CRV_USD_VAULT_OWENR);

vm.stopPrank();

vm.startPrank(RTOKEN_OWNER);

rToken = new RToken("R_Token_V1", "RTKNV1", RTOKEN_OWNER, address(crvUsdToken));

vm.stopPrank();

vm.startPrank(DETOKEN_OWNER);

deToken = new DEToken("DE_Token_V1", "DETKNV1", DETOKEN_OWNER, address(rToken));

vm.stopPrank();

vm.startPrank(DEBT_TOKEN_OWNER);

debtToken = new DebtToken("DEBT_TOKEN_V1", "DEBTKNV1", DEBT_TOKEN_OWNER);

vm.stopPrank();

vm.startPrank(ERC20_MOCK_TOKEN_OWNER);

erc20Mock = new ERC20Mock("ERC20_MOCK_TOKEN", "ERC20MTKN");

vm.stopPrank();

vm.startPrank(RAAC_HOUSE_PRICES_OWNER);

raacHousePrices = new RAACHousePrices(RAAC_HOUSE_PRICES_OWNER);

vm.stopPrank();

vm.startPrank(RAAC_NFT_TOKEN_OWNER);

raacNft = new RAACNFT(address(erc20Mock), address(raacHousePrices), RAAC_NFT_TOKEN_OWNER);

vm.stopPrank();

vm.startPrank(RAAC_OWNER);

raacToken = new RAACToken(RAAC_OWNER, initialRaacSwapTaxRateInBps, initialRaacBurnTaxRateInBps);

vm.stopPrank();

vm.startPrank(LENDING_POOL_OWNER);

lendingPool = new LendingPool(

address(crvUsdToken),

address(rToken),

address(debtToken),

address(raacNft),

address(raacHousePrices),

initialPrimeRate

);

vm.stopPrank();

vm.startPrank(STABILITY_POOL_OWNER);

stabilityPool = new StabilityPool(STABILITY_POOL_OWNER);

vm.stopPrank();

vm.startPrank(RAAC_MINTER_OWNER);

raacMinter = new RAACMinter(address(raacToken), address(stabilityPool), address(lendingPool), RAAC_MINTER_OWNER);

vm.stopPrank();

vm.startPrank(RAAC_OWNER);

raacToken.setMinter(address(raacMinter));

vm.stopPrank();

vm.startPrank(LENDING_POOL_OWNER);

lendingPool.setCurveVault(address(curveCrvUsdVault));

vm.stopPrank();

vm.startPrank(RTOKEN_OWNER);

rToken.setReservePool(address(lendingPool));

vm.stopPrank();

vm.startPrank(DEBT_TOKEN_OWNER);

debtToken.setReservePool(address(lendingPool));

vm.stopPrank();

vm.startPrank(STABILITY_POOL_OWNER);

stabilityPool.initialize(

address(rToken),

address(deToken),

address(raacToken),

address(raacMinter),

address(crvUsdToken),

address(lendingPool)

);

vm.stopPrank();

crvUsdToken.mint(address(lendingPool), 1000_000_000e18);

}

function testRepayDoSIfOnBehalfOfIsZeroAddress() public {

uint256 tokenId = 1;

uint256 housePrice = 1000e18;

vm.startPrank(RAAC_HOUSE_PRICES_OWNER);

// set oracle

raacHousePrices.setOracle(RAAC_HOUSE_PRICES_ORACLE);

vm.stopPrank();

vm.startPrank(RAAC_HOUSE_PRICES_ORACLE);

// house price in USD

raacHousePrices.setHousePrice(tokenId, housePrice);

vm.stopPrank();

// ensure alice has sufficient balance

crvUsdToken.mint(ALICE, 1000e18);

vm.startPrank(ALICE);

crvUsdToken.approve(address(lendingPool), 1000e18);

// deposit 1000e18 into lending pool to have some liquidity

lendingPool.deposit(1000e18);

vm.stopPrank();

// alice pays in erc20 to mint nft

erc20Mock.mint(ALICE, housePrice);

vm.startPrank(ALICE);

erc20Mock.approve(address(raacNft), housePrice);

// mint 1 nft with tokenId 1

raacNft.mint(tokenId, housePrice);

vm.stopPrank();

vm.startPrank(ALICE);

raacNft.approve(address(lendingPool), tokenId);

// deposit nft into lending pool

lendingPool.depositNFT(tokenId);

vm.stopPrank();

(, uint256 scaledDebtBalance,,,,,,) = lendingPool.getAllUserData(ALICE);

console.log("After depositNFT... ");

console.log("scaledDebtBalance: ", scaledDebtBalance);

uint256 borrowAmount = 900e18;

vm.startPrank(ALICE);

// borrow 900e18

lendingPool.borrow(borrowAmount);

vm.stopPrank();

(, scaledDebtBalance,,,,,,) = lendingPool.getAllUserData(ALICE);

console.log("After borrow... ");

console.log("scaledDebtBalance: ", scaledDebtBalance);

vm.startPrank(ALICE);

crvUsdToken.mint(ALICE, 500e18);

crvUsdToken.approve(address(lendingPool), 500e18);

vm.expectRevert(bytes4(keccak256("AddressCannotBeZero()")));

lendingPool.repayOnBehalf(500e18, address(0));

vm.stopPrank();

(, scaledDebtBalance,,,,,,) = lendingPool.getAllUserData(ALICE);

console.log("After repay fail... ");

console.log("scaledDebtBalance: ", scaledDebtBalance);

}

Impact

Denial of Service (DoS):
Users are prevented from repaying their own debt via the repayOnBehalf function using the intuitive shortcut (address(0)), effectively locking them into a less flexible repayment mechanism.
User Experience Degradation:
The inability to default to the caller's address increases friction for users who might inadvertently pass a zero address, thereby disrupting normal debt management operations.
Protocol Functionality Break:
Since the repayment mechanism is a core part of maintaining healthy collateral ratios and managing borrow positions, this flaw could lead to broader systemic issues if users are unable to reduce their debt as needed.

Tools Used

Manual Review
Foundry (Forge)

Recommendations

To fix this vulnerability, adjust the logic so that when the onBehalfOf parameter is address(0), the function defaults to repaying the caller's own debt rather than reverting. The following diff illustrates the required changes:

Recommended Diff

In `repayOnBehalf` Function

Remove the check that reverts when onBehalfOf is zero:

@@ In LendingPool.sol, function repayOnBehalf:

- if (onBehalfOf == address(0)) revert AddressCannotBeZero();

+ // If onBehalfOf is zero, default to msg.sender as intended

+ if (onBehalfOf == address(0)) {

+ onBehalfOf = msg.sender;

+ }

In `_repay` Function

Replace the check with logic to default onBehalfOf to msg.sender:

@@ In LendingPool.sol, function _repay:

- if (onBehalfOf == address(0)) revert AddressCannotBeZero();

+ if (onBehalfOf == address(0)) {

+ onBehalfOf = msg.sender;

+ }

After applying these changes, rerun the test suite to verify that the intended functionality is restored—allowing a zero address to default to the caller's debt repayment—thus eliminating the denial of service.

By implementing these modifications, the protocol will align with its NatSpec documentation and intended behavior, ensuring a smoother and more resilient debt repayment process.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Appeal created

theirrationalone Submitter

7 months ago

inallhonesty Lead Judge

7 months ago

inallhonesty Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!

Core Contracts

Denial of Service in Debt Repayment Due to Incorrect onBehalfOf Parameter Handling

Summary

Vulnerability Details

How It Begins

Code Excerpts

Proof of Concept

Scenario Example

Test Suite Code

Impact

Tools Used

Recommendations

Recommended Diff

In repayOnBehalf Function

In _repay Function

Lead Judging Commences

Appeal created

Prize pool breakdown

Live

Judging

Appeals

Appeals Review

Rewards Distribution

FAQs

In `repayOnBehalf` Function

In `_repay` Function