maxDeposit & maxMint not respecting lending whitelist #43
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate
This issue or pull request already exists
Lines of code
https://github.com/code-423n4/2022-08-frax/blob/d968f256462469239ec7394171409ed76dab03e1/src/contracts/FraxlendPair.sol#L137
https://github.com/code-423n4/2022-08-frax/blob/d968f256462469239ec7394171409ed76dab03e1/src/contracts/FraxlendPair.sol#L141
Vulnerability details
Impact & Proof Of Concept
EIP-4626 states for
maxDeposit
andmaxMint
: "MUST factor in both global and user-specific limits, like if deposits are entirely disabled (even temporarily) it MUST return 0."Therefore, when the lender whitelist is active and the callee of these functions is not an approved lender, it MUST return 0, which it currently does not.
Rationale for high risk: In a previous contest, a similar issue was marked high risk with the following reasoning:
Recommended Mitigation Steps
Check if the lender is approved, return 0 if this is not the case.
The text was updated successfully, but these errors were encountered: