This repository has been archived by the owner on Dec 24, 2023. It is now read-only.
hyh - kickWithDeposit removes the deposit without HTP pool state check #86
Labels
High
A valid High severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
hyh
high
kickWithDeposit removes the deposit without HTP pool state check
Summary
In order to cover kick bond KickerActions kickWithDeposit() removes the deposit from the pool, but misses the
new_LUP >= HTP
check, allowing for the invariant breaking state.Vulnerability Detail
Every deposit removal in the protocol comes with the
LUP >= HTP
final state check, that ensures that active loans aren't eligible for liquidation (Ajna white paper4.1 Deposit
).kickWithDeposit() can effectively remove deposits, either partially or fully, but performs no such check, potentially leaving the pool in the
LUP < HTP
state.Impact
A range of outcomes becomes possible after that, for example all other deposit operations can be frozen as long as they will not move LUP in the opposite direction, as their HTP checks will revert.
There is no low-probability prerequisites and the impact is a violation of the core system invariant, so setting the severity to be high.
Code Snippet
kickWithDeposit() can effectively remove quote tokens from any bucket to cover kick bond:
https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-core/src/base/Pool.sol#L321-L336
https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-core/src/libraries/external/KickerActions.sol#L149-L243
But there is no HTP check:
https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-core/src/libraries/external/KickerActions.sol#L242-L273
Tool used
Manual Review
Recommendation
Consider checking
LUP >= HTP
condition in the final state of the operation, similarly to other functions, for example removeQuoteToken():https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-core/src/libraries/external/LenderActions.sol#L413-L424
The text was updated successfully, but these errors were encountered: