Boost _ Folks Finance 34183 - [Smart Contract - Insight] rebalanceUp could be used to lower the user

Submitted on Tue Aug 06 2024 07:27:50 GMT-0400 (Atlantic Standard Time) by @alix_40 for Boost | Folks Finance

Report ID: #34183

Report type: Smart Contract

Report severity: Insight

Target: https://testnet.snowtrace.io/address/0x2cAa1315bd676FbecABFC3195000c642f503f1C9

Impacts:

Contract fails to deliver promised returns, but doesn't lose value

Description

This report is intended to be submitted under my team account "A2Security" but I reached the report submission rate limit on the last day. Please count this report as though it were from "A2Security".

Impact

users could use rebalanceUp to rebalance down, if their loan.stableInterest

Recomendation

To fix this we need to simply check that the userloan.stableInterestRate is not lower than the pool interest rate

    function executeRebalanceUp(
        mapping(bytes32 => LoanManagerState.UserLoan) storage userLoans,
        mapping(uint8 => IHubPool) storage pools,
        DataTypes.ExecuteRebalanceParams memory params
    ) external {
        LoanManagerState.UserLoan storage userLoan = userLoans[params.loanId];

        // user cannot rebalance borrow which they don't have or is not stable
        // borrow present iff loan type created and pool added so no need to check this
        if (!userLoan.hasStableBorrowIn(params.poolId)) {
            revert NoStableBorrowInLoanForPool(params.loanId, params.poolId);
        }

        // pool pre-checks and update interest indexes
        IHubPool pool = pools[params.poolId];
        // @note update index + checks threshold

        DataTypes.BorrowPoolParams memory borrowPoolParams = pool.preparePoolForRebalanceUp();
+       if (borrowPoolParams.stableInterestRate < userLoan.stableInterestRate) {
+       revert RateLowerThanPoolRate
+    }
        // rebalance the user loan borrow
        LoanManagerState.UserLoanBorrow storage loanBorrow = userLoan.borrows[params.poolId];
    }

Proof of concept

Proof Of Concept

    function prepareForRebalanceUp(HubPoolState.PoolData storage pool) external returns (DataTypes.BorrowPoolParams memory borrowPoolParams) {
        // can rebalance even if pool is depreciated
        // update interest indexes before the interest rates change
        pool.updateInterestIndexes();
        uint256 utilizationRatio = MathUtils.calcUtilisationRatio(pool.variableBorrowData.totalAmount + pool.stableBorrowData.totalAmount, pool.depositData.totalAmount);
        // @note Calculates threshold as: (rebalanceUpRate(capsdata) * totalVariableRate) / 100
        // @note totalVariableRate = varaible.vr0 + variable.vr1 + variable.vr2
        uint256 rebalanceUpThreshold = MathUtils.calcRebalanceUpThreshold(
            pool.stableBorrowData.rebalanceUpDepositInterestRate, pool.variableBorrowData.vr0, pool.variableBorrowData.vr1, pool.variableBorrowData.vr2
        );
        // @note U can't rebalance UP if we are under a rebalance threshold
        // check conditions for rebalance
 @1       if (utilizationRatio < MathUtils.from4DPto18DP(pool.stableBorrowData.rebalanceUpUtilisationRatio)) {
            revert RebalanceUpUtilisationRatioNotReached();
        }
 @2       if (rebalanceUpThreshold < pool.depositData.interestRate) revert RebalanceUpThresholdNotReached();

        borrowPoolParams.variableInterestIndex = pool.variableBorrowData.interestIndex;
        borrowPoolParams.stableInterestRate = pool.stableBorrowData.interestRate;
    }

As we can see in the rates checks in prepareForRebalanceUp() we don't use the userLoan.stableInterestRate and don't do any validation on it, meaning if the userLoan.stableRate is bigger than pool.stableInterestRate, and the condition @1 and @2 are fullfilled a user can still call RebalanceUp to lower the stableRate of his loan

PreviousBoost _ Folks Finance 34179 - [Smart Contract - High] Incorrect Updates to pooldepositDatatotalAmoun NextBoost _ Folks Finance 34188 - [Smart Contract - Insight] BridgeRouterHub can add address adapter

Last updated 1 year ago

Was this helpful?

hashtagDescription

hashtagImpact

hashtagRecomendation

hashtagProof of concept

hashtagProof Of Concept

Description

Impact

Recomendation

Proof of concept

Proof Of Concept