_amount requires to be updated to contract balance increase (4) #28
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate
This issue or pull request already exists
invalid
This doesn't seem right
Lines of code
https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/core/contracts/inception/InceptionVaultsCore.sol#L199-L241
Vulnerability details
Impact
Every time transferFrom or transfer function in ERC20 standard is called there is a possibility that underlying smart contract did not transfer the exact amount entered.
It is required to find out contract balance increase/decrease after the transfer.
This pattern also prevents from re-entrancy attack vector.
Proof of Concept
Tools Used
Recommended Mitigation Steps
Recommended code:
function liquidatePartial(uint256 _vaultId, uint256 _amount) public override nonReentrant {
IInceptionVaultsDataProvider.InceptionVault memory v = _inceptionVaultsData.vaults(_vaultId);
_refreshCumulativeRate();
uint256 collateralValue = _inceptionPriceFeed.convertFrom(v.collateralBalance);
uint256 currentVaultDebt = _inceptionVaultsData.vaultDebt(_vaultId);
require(
!_a.liquidationManager().isHealthy(collateralValue, currentVaultDebt, _vaultConfig.liquidationRatio),
"IV103"
);
uint256 repaymentAfterLiquidationFeeRatio = WadRayMath.wad().sub(_vaultConfig.liquidationFee);
uint256 maxLiquidationCost = currentVaultDebt.wadDiv(repaymentAfterLiquidationFeeRatio);
uint256 repayAmount;
if (_amount > maxLiquidationCost) {
_amount = maxLiquidationCost;
repayAmount = currentVaultDebt;
} else {
repayAmount = _amount.wadMul(repaymentAfterLiquidationFeeRatio);
}
uint256 collateralValueToReceive = _amount.add(_amount.wadMul(_vaultConfig.liquidationBonus));
uint256 insuranceAmount = 0;
if (collateralValueToReceive >= collateralValue) {
// Not enough collateral for debt & liquidation bonus
collateralValueToReceive = collateralValue;
uint256 discountedCollateralValue = collateralValue.wadDiv(_vaultConfig.liquidationBonus.add(WadRayMath.wad()));
if (currentVaultDebt > discountedCollateralValue) {
// Not enough collateral for debt alone
insuranceAmount = currentVaultDebt.sub(discountedCollateralValue);
require(_a.stablex().balanceOf(address(_adminInceptionVault)) >= insuranceAmount, "IV104");
}
repayAmount = currentVaultDebt.sub(insuranceAmount);
_amount = discountedCollateralValue;
}
// Reduce the vault debt by repayAmount
_reduceVaultDebt(_vaultId, repayAmount.add(insuranceAmount));
IERC20 stablex = IERC20(_a.stablex());
}
The text was updated successfully, but these errors were encountered: