Skip to content

Latest commit

 

History

History
57 lines (29 loc) · 2.51 KB

013.md

File metadata and controls

57 lines (29 loc) · 2.51 KB

Obedient Lava Monkey

Medium

Lack of Range Validation in setLtv Causes Data Truncation for Protocol Users as Admin Sets Out-of-Range LTV Values

Summary

The absence of range validation in setLtv will cause data truncation for protocol users as admin sets LTV values exceeding 16 bits, leading to unintended or corrupted configurations.

Root Cause

In ReserveConfiguration.sol, the lack of range validation for LTV values allows inputs exceeding the 16-bit limit, causing data truncation when these values are bitwise shifted into the configuration. When setting the Loan-to-Value (LTV) in setLtv, if the provided value exceeds the bit range allocated (16 bits), it can lead to truncation of the LTV value due to the bitmask not preventing larger values from being written.

self.data = (self.data & ~LTV_MASK) | ltv;
  • If ltv is greater than 65535 (the max value for 16 bits), it silently truncates to fit, potentially setting an unintended LTV value, leading to incorrect risk calculations and unintended liquidations.

self.data alone doesn't help because it merely holds the configuration data as a bitmask without enforcing any constraints on the values being set. Without explicit validation, self.data will store whatever value is passed, including out-of-range values that will be truncated when bit-shifted into the 16-bit space, leading to corruption of the intended configuration.

Internal Pre-conditions

  1. Admin needs to call setLtv() to set ltv to be greater than 65535.
  2. The self.data bitmask does not restrict values to the valid 16-bit range.

External Pre-conditions

  1. No external contract or oracle interaction is required.
  2. The protocol relies on self.data to store and retrieve reserve configuration.

Attack Path

  1. Admin calls setLtv() with an ltv value greater than 65535.
  2. The ltv value is truncated to fit into the 16-bit space without validation.
  3. The reserve operates with a corrupted or unintended LTV configuration.

Impact

The protocol suffers from incorrect risk calculations, which could result in unintended liquidations or improper reserve management, potentially harming users by altering their loan conditions unexpectedly.

PoC

No response

Mitigation

Add a validation check in setLtv to ensure ltv does not exceed 65535 before applying the bitmask.