Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

Ch_301 - Users will receive less than they expect from the borrow() #72

Closed
sherlock-admin opened this issue Nov 4, 2022 · 1 comment
Closed

Ch_301 - Users will receive less than they expect from the borrow() #72

sherlock-admin opened this issue Nov 4, 2022 · 1 comment
Labels
Disagree With (non-)Duplication Medium Sponsor Confirmed

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Nov 4, 2022
edited by Evert0x
Loading

Ch_301

medium

Users will receive less than they expect from the borrow()

Summary

Alice will invoke borrow() with amount == X
He will receive only X - n
But updateLocked() will update locked with X value

Vulnerability Detail

On UToken.sol ==> borrow()

if (!assetManagerContract.withdraw(underlying, to, amount)) revert WithdrawFailed();

On AssetManager.sol ==> withdraw() in case isMarketSupported(token) is true
This loop will work

            for (uint256 i = 0; i < withdrawSeqLength && remaining > 0; i++) {
                IMoneyMarketAdapter moneyMarket = moneyMarkets[withdrawSeq[i]];
                if (!moneyMarket.supportsToken(token)) continue;

                uint256 supply = moneyMarket.getSupply(token);
                if (supply == 0) continue;

                uint256 withdrawAmount = supply < remaining ? supply : remaining;
                remaining -= withdrawAmount;
                moneyMarket.withdraw(token, account, withdrawAmount);
            }

in case i == withdrawSeqLength and remaining > 0 this loop will stop. And there is no way to complete sending the remaining balace
The withdraw() will return True even if the remaining > 0

Now go back to UToken.sol ==> borrow()

        if (!assetManagerContract.withdraw(underlying, to, amount)) revert WithdrawFailed();

        IUserManager(userManager).updateLocked(msg.sender, uint96(amount + fee), true);

The first check will passed successfully
And the second line will update the locked amount to amount + fee even if the user dosen’t receive all the amount

Impact

The user will receive less amount of the locked

Code Snippet

          if (isMarketSupported(token)) {
            uint256 withdrawSeqLength = withdrawSeq.length;
            // iterate markets according to defined sequence and withdraw
            for (uint256 i = 0; i < withdrawSeqLength && remaining > 0; i++) {
                IMoneyMarketAdapter moneyMarket = moneyMarkets[withdrawSeq[i]];
                if (!moneyMarket.supportsToken(token)) continue;

                uint256 supply = moneyMarket.getSupply(token);
                if (supply == 0) continue;

                uint256 withdrawAmount = supply < remaining ? supply : remaining;
                remaining -= withdrawAmount;
                moneyMarket.withdraw(token, account, withdrawAmount);
            }
        }

https://github.com/sherlock-audit/2022-10-union-finance/blob/main/union-v2-contracts/contracts/asset/AssetManager.sol#L345-L359

        if (!assetManagerContract.withdraw(underlying, to, amount)) revert WithdrawFailed();

        IUserManager(userManager).updateLocked(msg.sender, uint96(amount + fee), true);

https://github.com/sherlock-audit/2022-10-union-finance/blob/main/union-v2-contracts/contracts/market/UToken.sol#L547-L552

Tool used

Manual Review

Recommendation

You can check remaining on withdraw()

duplicate of #27
@kingjacob
Copy link

dupe of #27

@Evert0x Evert0x closed this as completed Nov 14, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Disagree With (non-)Duplication Medium Sponsor Confirmed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kingjacob @Evert0x @sherlock-admin