Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lone Fossilized Lemur - Logic Error in Options Renewal Validation Enables Unauthorized Protection Benefits #1053

Open
sherlock-admin4 opened this issue Dec 30, 2024 · 0 comments
Open

Lone Fossilized Lemur - Logic Error in Options Renewal Validation Enables Unauthorized Protection Benefits #1053

sherlock-admin4 opened this issue Dec 30, 2024 · 0 comments

Comments

@sherlock-admin4
Copy link

Lone Fossilized Lemur

High

Logic Error in Options Renewal Validation Enables Unauthorized Protection Benefits

Summary

A critical logic flaw has been identified in the borrowing::renewOptions functionality. While the system is designed to allow position renewal within a 15-30 day window from the last renewal timestamp, a faulty implementation of the validation check permits users to renew their options at any time. This oversight enables borrowers to maintain downside protection benefits even after the intended maturity period.

Root Cause

In BorrowLib::getOptionFeesToPay this checks the user if he is renewing his options position in btw 15 to 30 days of last depositDetail.optionsRenewedTimeStamp but the ISSUE here is that this check will never ever revert due to wrong implementation, and therefore the borrower will be able to renew his option anytime before the withdraw (even after the 30 days maturity as has passed) and will enjoy the benefit of downside protection in withdraw. Which is an ISSUE, this should not happen.

The root cause of this vulnerability is the incorrect logical operator used in the time check condition. The current implementation uses && (AND) instead of || (OR), which makes the condition always false and never let it revert.

            if (
                block.timestamp < depositDetail.optionsRenewedTimeStamp + 15 days
                    && block.timestamp > depositDetail.optionsRenewedTimeStamp + 30 days
            ) revert IBorrowing.Borrow_DeadlinePassed();

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

The vulnerability creates a financial risk for the protocol as borrowers can exploit the faulty validation to obtain unauthorized downside protection. This results in reduced debt repayments through the formula depositDetail.totalDebtAmountPaid = borrowerDebt - downsideProtected, directly impacting protocol revenues.

PoC

No response

Mitigation

The time window validation needs to be corrected by replacing the logical AND operator with OR:

if (
    block.timestamp < depositDetail.optionsRenewedTimeStamp + 15 days
-        && block.timestamp > depositDetail.optionsRenewedTimeStamp + 30 days
+        || block.timestamp > depositDetail.optionsRenewedTimeStamp + 30 days
) revert IBorrowing.Borrow_DeadlinePassed();

This modification ensures options can only be renewed within the intended 15-30 day window, preventing exploitation of the downside protection mechanism.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin4