Skip to content

modifyCollateralAndDebt() doesn't work as intended when the vault is paused since debts can still be increased #32

New issue
New issue
Open
Open
modifyCollateralAndDebt() doesn't work as intended when the vault is paused since debts can still be increased#32
Labels
2 (Med Risk)Assets not at direct risk, but function/availability of the protocol could be impacted or leak value🤖_16_groupAI based duplicate group recommendation🤖_primaryAI based primary recommendationbugSomething isn't workingsufficient quality reportThis report is of sufficient quality
@c4-bot-6

Description

@c4-bot-6
c4-bot-6
opened on Oct 15, 2024

Lines of code

https://github.com/code-423n4/2024-10-loopfi/blob/d219f0132005b00a68f505edc22b34f9a8b49766/src/CDPVault.sol#L422-L533

Vulnerability details

Proof of Concept

Take a look at https://github.com/code-423n4/2024-10-loopfi/blob/d219f0132005b00a68f505edc22b34f9a8b49766/src/CDPVault.sol#L422-L533

    function modifyCollateralAndDebt(
        address owner,
        address collateralizer,
        address creditor,
        int256 deltaCollateral,
        int256 deltaDebt
    ) public {
        if (
            // position is either more safe than before or msg.sender has the permission from the owner
            ((deltaDebt > 0 || deltaCollateral < 0) && !hasPermission(owner, msg.sender)) ||
            // msg.sender has the permission of the collateralizer to collateralize the position using their cash
            (deltaCollateral > 0 && !hasPermission(collateralizer, msg.sender)) ||
            // msg.sender has the permission of the creditor to use their credit to repay the debt
            (deltaDebt < 0 && !hasPermission(creditor, msg.sender))
        ) revert CDPVault__modifyCollateralAndDebt_noPermission();

        // if the vault is paused allow only debt decreases
        if (deltaDebt > 0 || deltaCollateral != 0){
            _requireNotPaused();//@audit
        }

        Position memory position = positions[owner];
        DebtData memory debtData = _calcDebt(position);

        uint256 newDebt;
        uint256 newCumulativeIndex;

        uint256 profit;
        int256 quotaRevenueChange;
        ..snip

        emit ModifyCollateralAndDebt(owner, collateralizer, creditor, deltaCollateral, deltaDebt);
    }

This function is used to modify a Position's collateral and debt balances, it checks that the global debt ceiling and the vault's debt ceiling have not been exceeded via the CDM, etc.

Now one of the new changes in scope as hinted by the @audit tag is that in the case where the vault is paused only debt decreases should be accepted, however this is not enforced, considering a call is made to _requireNotPaused() that lacks any implementation across scope whatsoever, thereby allowing for debt to be increased even if the vault is paused.

Impact

Modifying the position is broken, considering even if the revert that's supposed to occur here during an increase of debt whenever protocol is paused would not, since _requireNotPaused() lacks any implementation whatsoever.

Recommended Mitigation Steps

Implement the _requireNotPaused() functionality and correctly check that the protocol is indeed not paused in the case where an attempt is made to increase the debt.

Assessed type

Context

Metadata

Metadata

Assignees

No one assigned

    Labels

    2 (Med Risk)Assets not at direct risk, but function/availability of the protocol could be impacted or leak value🤖_16_groupAI based duplicate group recommendation🤖_primaryAI based primary recommendationbugSomething isn't workingsufficient quality reportThis report is of sufficient quality

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions