Skip to content

Latest commit

 

History

History
72 lines (53 loc) · 2.43 KB

053.md

File metadata and controls

72 lines (53 loc) · 2.43 KB

Low Tangerine Cod

Medium

fee refund is not happening on borrower withdraw

Summary

when condition is not cds.getTotalCdsDepositedAmount() < downsideProtected fees are not being returned to user

Root Cause

In whole project whenever layer zero call is not happening user gets their refund. User doesn't know in advance how much to send due to the fact that call for layer 0 depends only on internal computation/variables, so refund should be happening whenever layer0 call not triggered. There is not refund in } else { statement.

    function _getDownsideFromCDS(
        uint128 downsideProtected,
        uint256 feeForOFT
    ) internal {
        if (cds.getTotalCdsDepositedAmount() < downsideProtected) {
            // Call the oftOrCollateralReceiveFromOtherChains function in global variables
            globalVariables.oftOrCollateralReceiveFromOtherChains{value: feeForOFT}(
                IGlobalVariables.FunctionToDo(3),
                IGlobalVariables.USDaOftTransferData(address(treasury),downsideProtected - cds.getTotalCdsDepositedAmount()),
                // Since we don't need ETH, we have passed zero params
                IGlobalVariables.CollateralTokenTransferData(address(0),0,0,0),
                IGlobalVariables.CallingFunction.BORROW_WITHDRAW,
                msg.sender
            );
        } else {
->            // updating downside protected from this chain in CDS
            cds.updateDownsideProtected(downsideProtected);
        }
        // Burn the borrow amount
        treasury.approveTokens(IBorrowing.AssetName.USDa, address(this), downsideProtected);
        bool success = usda.contractBurnFrom(address(treasury), downsideProtected);
        if (!success) revert Borrow_BurnFailed();
    }

contracts/Core_logic/borrowing.sol#L735

Internal pre-conditions

cds.getTotalCdsDepositedAmount() >= downsideProtected

External pre-conditions

none

Attack Path

none, always happens

Impact

Users will not get their refund

PoC

not needed

Mitigation

        } else {
            // updating downside protected from this chain in CDS
+            (bool sent, ) = payable(toAddress).call{value: feeForOFT}("");
+            if (!sent) revert Borrow_TransferFailed();
            cds.updateDownsideProtected(downsideProtected);
        }