Skip to content

Latest commit

 

History

History
63 lines (39 loc) · 2.43 KB

022.md

File metadata and controls

63 lines (39 loc) · 2.43 KB

Delightful Walnut Okapi

High

Missing liquidity check in pullFunds function

Summary

The pullFunds function in the LendingPool contract allows the leverager to withdraw any amount from the contract without checking the availableLiquidity and update underlyingBalance. This may lead to the risk of losing liquidity and exceeding the borrowing limit, causing serious damage to the contract and users.

Root Cause

The pullFunds function in the LendingPool contract allows the leverager address to withdraw an amount from yTokenAddress without performing any checks on the available liquidity reserve.availableLiquidity() and reserve.underlyingBalance -= amount;. This could lead to a risk of illiquidity causing serious damage to the contract.

https://github.com/sherlock-audit/2025-02-yieldoor/blob/main/yieldoor/src/LendingPool.sol#L209-L214

    function pullFunds(address asset, uint256 amount) external nonReentrant {
        require(msg.sender == leverager, "borrower not leverager");
        DataTypes.ReserveData memory reserve = getReserve(asset);

        IyToken(reserve.yTokenAddress).transferUnderlyingTo(_msgSender(), amount);
    }

Internal Pre-conditions

  1. The LendingPool contract has been initialized and has assets in reserve.
  2. The leverager has been set up and has access to the pullFunds function.

External Pre-conditions

  1. The leverager intends to withdraw a large amount of assets from the contract.

Attack Path

  1. The leverager calls the pullFunds function with a large amount of assets.
  2. Without checking availableLiquidity, the leverager can withdraw all the assets in the reserve.
  3. Without updating the underlyingBalance, the reserve does not accurately reflect the asset balance, leading to the risk of illiquidity and errors in subsequent operations.

Impact

Causes the contract to become illiquid, making it impossible for depositors to withdraw their money.

PoC

No response

Mitigation

Add liquidity check

    function pullFunds(address asset, uint256 amount) external nonReentrant {
        require(msg.sender == leverager, "borrower not leverager");
        DataTypes.ReserveData memory reserve = getReserve(asset);

+      require(amount <= reserve.availableLiquidity(), "Insufficient liquidity");
+      reserve.underlyingBalance -= amount;

        IyToken(reserve.yTokenAddress).transferUnderlyingTo(_msgSender(), amount);
    }