Skip to content

Latest commit

 

History

History
70 lines (47 loc) · 2.51 KB

041.md

File metadata and controls

70 lines (47 loc) · 2.51 KB

Furry Rusty Monkey

High

Users can withdraw more collateral than they have deposited

Summary

The Treasure::withdraw function does not validate that the withdrawal amount requested by a user is within their available collateral. This creates a critical vulnerability allowing users to withdraw more collateral than they have deposited.

Root Cause

No comparison of the requested amount with the user’s deposited collateral or the remaining collateral. The only check here is that the withdrawal amount is non-zero.

require(amount > 0, "Cannot withdraw zero collateral");

It does not check whether amount exceeds the user’s deposited collateral.

The function also subtracts the total deposited collateral from global and user-specific variables without validating whether the amount being withdrawn is within the available collateral:

depositedCollateralAmountInWei[depositDetails.assetName] -= depositDetails.depositedAmountInETH;
totalVolumeOfBorrowersAmountinWei -= depositDetails.depositedAmountInETH;
borrowing[borrower].depositedAmountInETH -= depositDetails.depositedAmountInETH;

These updates are performed regardless of the requested amount.

  • If the asset is ETH:
bool sent, ) = payable(toAddress).call{value: amount}("");
require(sent, "Failed to send Collateral");

The amount is sent without validating whether it is available.

  • If the asset is an ERC-20 token:
bool sent = IERC20(borrow.assetAddress(depositDetails.assetName)).transfer(toAddress, depositDetails.depositedAmount - upsideToDeduct);
require(sent, "Failed to send Collateral");

Again, there is no check against the actual collateral amount.

Internal pre-conditions

  1. A user deposits collateral into the protocol.
  2. The user calls the withdraw function with an amount greater than their deposited collateral.
  3. The function processes the request without validation, allowing the user to withdraw more than their available collateral.

https://github.com/sherlock-audit/2024-11-autonomint/blob/main/Blockchain/Blockchian/contracts/Core_logic/Treasury.sol#L226

External pre-conditions

No response

Attack Path

No response

Impact

Users can withdraw more than their collateral which can drain the protocol’s reserves.

PoC

No response

Mitigation

Ensure the requested withdrawal amount is less than or equal to the user’s available collateral. After validating the amount, update the withdrawAmount field to track how much collateral the user has withdrawn