Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

Jeiwan - Removed adapter can still hold funds, removed token can still be deposited to a market #126

Open
sherlock-admin opened this issue Nov 4, 2022 · 1 comment
Open

Jeiwan - Removed adapter can still hold funds, removed token can still be deposited to a market #126

sherlock-admin opened this issue Nov 4, 2022 · 1 comment
Labels
Medium Sponsor Confirmed

Comments

@sherlock-admin
Copy link
Contributor

Jeiwan

medium

Removed adapter can still hold funds, removed token can still be deposited to a market

Summary

Removed adapter can still hold funds, removed token can still be deposited to a market.

Vulnerability Detail

When removing an adapter, there's no check for whether it's still holding funds (AssetManager.sol#L440). The same is true for tokens: when removing a token, there's no check for whether any of the supported adapters is still holding assets in this token.

Impact

In case an adapter that's being removed still holds funds, these funds will be removed from the total TVL until the removed adapter is re-added. And if there's no plans to re-add the adapter, the remaining funds will be locked in the adapter indefinitely.
Similarly to tokens: if any of the supported markets is still holding a token that's being removed, the token assets held by the market will be removed from the total TVL and users won't be able to get their funds.

Code Snippet

AssetManager.sol#L440:

function removeAdapter(address adapterAddress) external override onlyAdmin {
    bool isExist = false;
    uint256 index;
    uint256 moneyMarketsLength = moneyMarkets.length;

    for (uint256 i = 0; i < moneyMarketsLength; i++) {
        if (adapterAddress == address(moneyMarkets[i])) {
            isExist = true;
            index = i;
            break;
        }
    }

    if (isExist) {
        moneyMarkets[index] = moneyMarkets[moneyMarketsLength - 1];
        moneyMarkets.pop();
    }
}

AssetManager.sol#L396:

function removeToken(address tokenAddress) external override onlyAdmin {
    bool isExist = false;
    uint256 index;
    uint256 supportedTokensLength = supportedTokensList.length;

    for (uint256 i = 0; i < supportedTokensLength; i++) {
        if (tokenAddress == address(supportedTokensList[i])) {
            isExist = true;
            index = i;
            break;
        }
    }

    if (isExist) {
        supportedTokensList[index] = supportedTokensList[supportedTokensLength - 1];
        supportedTokensList.pop();
        supportedMarkets[tokenAddress] = false;
    }
}

Tool used

Manual Review

Recommendation

In the removeAdapter function, check market's supply by calling moneyMarket.getSupply(token) before removing an adapter. In the removeToken function, iterate over all supported adapters and check if they're still holding the token by calling moneyMarket.getSupply(token).
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Medium Sponsor Confirmed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kingjacob @GeraldHost @sherlock-admin