Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Zealous Seafoam Platypus - Incorrect Calculation of borrowingHealth for Non-ETH Tokens in BorrowLib::withdraw will not allow them to withdraw. #1047

Open
sherlock-admin4 opened this issue Dec 30, 2024 · 0 comments
Open

Zealous Seafoam Platypus - Incorrect Calculation of borrowingHealth for Non-ETH Tokens in BorrowLib::withdraw will not allow them to withdraw. #1047

sherlock-admin4 opened this issue Dec 30, 2024 · 0 comments

Comments

@sherlock-admin4
Copy link

Zealous Seafoam Platypus

High

Incorrect Calculation of borrowingHealth for Non-ETH Tokens in BorrowLib::withdraw will not allow them to withdraw.

Summary

The BorrowLib::withdraw function calculates the borrowingHealth as the ratio of the ETH price at the time of deposit to its current price, as seen here. However, this approach is not valid for tokens other than ETH, such as weETH or wrsETH. For non-ETH tokens, borrowingHealth should be calculated by comparing the deposited value to the current market value, using their respective exchange rates.

Due to this flaw, users may be unable to withdraw their assets even if the price of non-ETH tokens has remained stable or increased. The protocol only factors in the ETH price drop, which adversely affects the borrowingHealth for non-ETH tokens.

Root Cause

The borrowingHealth calculation is solely based on the ETH price and does not take into account the exchange rates or market value of non-ETH tokens like weETH and wrsETH.

https://github.com/sherlock-audit/2024-11-autonomint/blob/0d324e04d4c0ca306e1ae4d4c65f0cb9d681751b/Blockchain/Blockchian/contracts/lib/BorrowLib.sol#L819

uint128 borrowingHealth = calculateEthPriceRatio(depositDetail.ethPriceAtDeposit, params.ethPrice);

https://github.com/sherlock-audit/2024-11-autonomint/blob/0d324e04d4c0ca306e1ae4d4c65f0cb9d681751b/Blockchain/Blockchian/contracts/lib/BorrowLib.sol#L822`

if (borrowingHealth < 8000) revert IBorrowing.Borrow_BorrowHealthLow();

Internal pre-conditions

No response

External pre-conditions

  • The price of ETH decreases by more than 20% from its deposited value.
  • Non-ETH tokens like weETH or wrsETH either maintain a stable price or increase in value in the market.

Attack Path

No response

Impact

  • Even if non-ETH tokens like weETH or wrsETH have performed well in the market, users may be prevented from withdrawing them due to a low borrowingHealth value that is influenced solely by the decline in ETH’s price.

  • This miscalculation introduces discrepancies, leading to a negative user experience and potentially eroding trust in the protocol.

PoC

No response

Mitigation

To fix this issue, ensure that borrowingHealth for non-ETH tokens is calculated based on their respective exchange rates instead of relying solely on the ETH price.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin4