Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Flashloan cannot be obtained to delever during high utilization times #119

Open
c4-bot-3 opened this issue Aug 15, 2024 · 3 comments
Open

Flashloan cannot be obtained to delever during high utilization times #119

c4-bot-3 opened this issue Aug 15, 2024 · 3 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-b primary issue Highest quality submission among a set of duplicates Q-20 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax 🤖_20_group AI based duplicate group recommendation sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons sufficient quality report This report is of sufficient quality

Comments

@c4-bot-3
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2024-07-loopfi/blob/57871f64bdea450c1f04c9a53dc1a78223719164/src/proxy/PositionAction.sol#L345-L369

Vulnerability details

Impact

User's won't be able to delever their positions during high pool utilization times

Proof of Concept

Loopfi offers leverage functionalities with increaseLever and decreaseLever. Both of these make use of the native flash loan to help an user increase/decrease their leverage

link

    function decreaseLever(
        LeverParams calldata leverParams,
        uint256 subCollateral,
        address residualRecipient
    ) external onlyDelegatecall {
        
        .....

        IPermission(leverParams.vault).modifyPermission(leverParams.position, self, true);
        uint loanAmount = leverParams.primarySwap.amount;
=>      flashlender.creditFlashLoan(
            ICreditFlashBorrower(self),
            loanAmount,
            abi.encode(leverParams, subCollateral, residualRecipient)
        );

But the flashloan internally calls the lendCreditAccount method of the pool inorder to borrow assets and this function has a check that the utilization must be below a certain level in order to borrow more assets

link

    function creditFlashLoan(
        ICreditFlashBorrower receiver,
        uint256 amount,
        bytes calldata data
    ) external override nonReentrant returns (bool) {
        uint256 fee = wmul(amount, protocolFee);
        uint256 total = amount + fee;

=>      pool.lendCreditAccount(amount, address(receiver));

lendCreditAccount -> _updateBaseInterest -> calcBorrowRate

link

    function calcBorrowRate(uint256 expectedLiquidity, uint256 availableLiquidity, bool checkOptimalBorrowing)
        public
        view
        override
        returns (uint256)
    {
        
        ....

        // If U > U_2 in `isBorrowingMoreU2Forbidden` and the utilization check is requested,
        // the function will revert to prevent raising utilization over the limit
        if (checkOptimalBorrowing && isBorrowingMoreU2Forbidden) {
            revert BorrowingMoreThanU2ForbiddenException(); // U:[LIM-3]
        }

Hence although user's are actually attempting to repay their debt when decreasing their leverage, they will not be able to do so because of the kept condition. This will cause user's who have leveraged relying on the flashloan unable to decrease their leverage during times of high utilization accruing greater borrow interest

Tools Used

Manual review

Recommended Mitigation Steps

Since flash loans will improve the balance of the pool, allow flashloan contracts to borrow even during times of high utilization rate

Assessed type

DoS
@c4-bot-3 c4-bot-3 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Aug 15, 2024
c4-bot-1 added a commit that referenced this issue Aug 15, 2024
@c4-bot-1
hash issue #119
e69c473
@c4-bot-11 c4-bot-11 added the 🤖_20_group AI based duplicate group recommendation label Aug 15, 2024
@howlbot-integration howlbot-integration bot added primary issue Highest quality submission among a set of duplicates sufficient quality report This report is of sufficient quality labels Aug 20, 2024
@0xtj24 0xtj24 added the sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons label Sep 18, 2024
@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Oct 1, 2024
@c4-judge
Copy link
Contributor

c4-judge commented Oct 1, 2024

koolexcrypto changed the severity to QA (Quality Assurance)

@c4-judge c4-judge closed this as completed Oct 1, 2024
@c4-judge
Copy link
Contributor

c4-judge commented Oct 1, 2024

koolexcrypto marked the issue as grade-c

@c4-judge c4-judge added grade-c unsatisfactory does not satisfy C4 submission criteria; not eligible for awards labels Oct 1, 2024
@c4-judge c4-judge reopened this Oct 1, 2024
@c4-judge c4-judge added grade-b and removed grade-c unsatisfactory does not satisfy C4 submission criteria; not eligible for awards labels Oct 1, 2024
@c4-judge
Copy link
Contributor

c4-judge commented Oct 1, 2024

koolexcrypto marked the issue as grade-b

@C4-Staff C4-Staff added the Q-20 label Nov 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-b primary issue Highest quality submission among a set of duplicates Q-20 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax 🤖_20_group AI based duplicate group recommendation sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@c4-judge @C4-Staff @c4-bot-3 @0xtj24 @c4-bot-11 @c4-bot-12