Japy69 - Anyone can block any borrowing

[sherlock-admin]

Japy69

high

Anyone can block any borrowing

Summary

The LiquidityBorrowingManager.sol smart contract in the Real Wagmi project has a vulnerability that can lead to a situation where no one can borrow a specific ERC20 token. It works with any ERC20 token.

Vulnerability Detail

In the LiquidityBorrowingManager.sol smart contract, specifically in the borrow function, there is a check on borrowingCollateral . The relevant code snippet is as follows:

uint256 borrowingCollateral = cache.borrowedAmount - cache.holdTokenBalance;
(borrowingCollateral > params.maxCollateral).revertError(ErrLib.ErrorCode.TOO_BIG_COLLATERAL);

The borrowingCollateral variable is calculated as the difference between the borrowed amount and cache.holdTokenBalance. cache.holdTokenBalance is equivalent to the balance of the params.holdToken token held by the contract. In a normal world, this is equivalent to the tokens the contract just received by the position used here. Since anyone can send ERC20 tokens to this contract, an attacker can manipulate cache.holdTokenBalance by sending an amount of the params.holdToken token to the contract directly. This manipulation can result in cache.holdTokenBalance being larger than cache.borrowedAmount, causing the transaction and all the next one to revert.

To PoC this vulnerability, in the test file WagmiLeverageTests.ts, we just need to modify this line

[owner.address, alice.address, bob.address, aggregatorMock.address],

by

[owner.address, alice.address, bob.address, aggregatorMock.address, borrowingManager.address],

By this modification, we also send tokens to the smart contract. Then all the tests (run npx hardhat test) when someone borrows (and logically then other actions after borrowing) fail.

Impact

The impact of this vulnerability is significant. An attacker can effectively prevent anyone from borrowing the specific params.holdToken token. Moreover, the cost is not high since borrowingCollateral is normally not very high (in some cases it is equal to 1).

Code Snippet

The vulnerability comes from this line: https://github.com/sherlock-audit/2023-10-real-wagmi/blob/main/wagmi-leverage/contracts/LiquidityBorrowingManager.sol#L869-L872

Tool used

Manual Review

Recommendation

1. Call the balanceOf function of the token at the beginning of the borrow function. When computing cache.holdTokenBalance, compare it to the previous balance.
2. Add a function allowing to withdraw ERC20 tokens of this contract (and not in the vault!). Because the balance should be empty, in case of receipt, someone should be able to withdraw it.

Duplicate of #86

[fann95]

this is a duplicate of this one #72