Core Contracts

Summary

The _rebalanceLiquidity() function in LendingPool.sol is vulnerable to gas griefing due to the possibility for a malicious actor to manipulate the buffer state, leading to excessive gas costs for the caller.

Vulnerability Details

In the deposit, withdraw, and borrow functions, the _rebalanceLiquidity() function is invoked to ensure the reserve asset's balance in the reserveRTokenAddress aligns with the desired buffer ratio. If the current buffer is greater than the desired buffer, liquidity is deposited into the Curve vault. Conversely, if the current buffer is less than the desired buffer, liquidity is withdrawn from the Curve vault.

However, an attacker can exploit this by sending a single wei of asset to the reserveRTokenAddress. This action will force the currentBuffer to exceed the desiredBuffer, causing the function to execute a deposit into the Curve vault even if this action is unnecessary. This can lead to excessive gas consumption, as the rebalancing logic will always trigger unnecessary deposits or withdrawals when the attacker manipulates the buffer state.

The issue arises because the contract does not validate whether the buffer imbalance is caused by an external party, allowing a malicious user to trigger more gas-intensive operations than expected.

Impact

This vulnerability can result in increased gas costs for the caller, as they may be forced to execute unnecessary liquidity rebalancing actions. This could lead to driving up transaction costs.

Tools Used

Manual code review

Recommended Mitigation

Instead of relying on balanceOf which can be manipulated by sending assets to the address, make use of a global variable to track assets sent/withdrawn in a legitimate way to the contract. By implementing this recommendation, the gas griefing issue can be mitigated, ensuring that rebalancing occurs only when truly necessary and without causing unnecessary costs to users.