Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

maxDeposit & maxMint not respecting lending whitelist #43

Closed
code423n4 opened this issue Aug 14, 2022 · 1 comment
Closed

maxDeposit & maxMint not respecting lending whitelist #43

code423n4 opened this issue Aug 14, 2022 · 1 comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate This issue or pull request already exists

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-08-frax/blob/d968f256462469239ec7394171409ed76dab03e1/src/contracts/FraxlendPair.sol#L137
https://github.com/code-423n4/2022-08-frax/blob/d968f256462469239ec7394171409ed76dab03e1/src/contracts/FraxlendPair.sol#L141

Vulnerability details

Impact & Proof Of Concept

EIP-4626 states for maxDeposit and maxMint: "MUST factor in both global and user-specific limits, like if deposits are entirely disabled (even temporarily) it MUST return 0."

Therefore, when the lender whitelist is active and the callee of these functions is not an approved lender, it MUST return 0, which it currently does not.

Rationale for high risk: In a previous contest, a similar issue was marked high risk with the following reasoning:

EIP4626 is aimed to create a consistent and robust implementation patterns for Tokenized Vaults. A slight deviation from 4626 would broke composability and potentially lead to loss of fund (POC in code-423n4/2022-06-notional-coop-findings#88 can be an example). It is counterproductive to implement EIP4626 but does not conform to it fully.

Recommended Mitigation Steps

Check if the lender is approved, return 0 if this is not the case.
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Aug 14, 2022
code423n4 added a commit that referenced this issue Aug 14, 2022
@code423n4
Lambda issue #43
ecf9ee0
@amirnader-ghazvini amirnader-ghazvini added the duplicate This issue or pull request already exists label Aug 29, 2022
@amirnader-ghazvini
Copy link
Collaborator

Duplicate of #79

@amirnader-ghazvini amirnader-ghazvini marked this as a duplicate of #79 Aug 29, 2022
@gititGoro gititGoro added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Oct 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate This issue or pull request already exists
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gititGoro @amirnader-ghazvini @code423n4