#37056 [SC-Insight] `require_at_least_min_net_debt` did not emit correct error message

Submitted on Nov 24th 2024 at 03:16:10 UTC by @InquisitorScythe for IOP | Fluid Protocol

• Report ID: #37056

• Report Type: Smart Contract

• Report severity: Insight

• Target: https://github.com/Hydrogen-Labs/fluid-protocol/tree/main/contracts/borrow-operations-contract/src/main.sw

• Impacts:

  • Contract fails to deliver promised returns, but doesn't lose value

Description

Brief/Intro

in require_at_least_min_net_debt, if it did not pass the check, it will emit a error message "Borrow Operations: net debt must be greater than 0", it did not consider the value of MIN_NET_DEBT in the error message.

Vulnerability Details

in contracts/borrow-operations-contract/src/main.sw

fn require_at_least_min_net_debt(_net_debt: u64) {
    require(
        _net_debt >= MIN_NET_DEBT,
        "Borrow Operations: net debt must be greater than 0", // @audit: error message
    );
}

but MIN_NET_DEBT is 500 usdf defined in fluid_math.sw

It is suggested to emit correct error message like :

It is even better to use format string to fill MIN_NET_DEBT into the error message, but I could not find out how to do it

Impact Details

Deliver wrong message when the checks fails, makes it hard to debug and confuse the users.

References

None

Proof of Concept

Proof of Concept

change the function fails_open_trove_under_min_usdf_required in contracts/borrow-operations-contract/tests/failurelike:

and then run cargo test fails_open_trove_under_min_usdf_required -- --nocapture, the output is like :