Obedient Lava Monkey
Medium
The failure to correctly adjust the isolationModeTotalDebt when borrowing in isolation mode will cause an over-borrowing vulnerability for isolated assets as the protocol will miscalculate the debt ceiling and allow users to exceed the intended borrowing limits.
In BorrowLogic.sol, the isolationModeTotalDebt calculation incorrectly assumes that the borrowed amount (params.amount) can be directly scaled without verifying the decimals of the isolated asset.
uint256 nextIsolationModeTotalDebt = reservesData[isolationModeCollateralAddress]
.isolationModeTotalDebt += (params.amount /
10 ** (reserveCache.reserveConfiguration.getDecimals() -
ReserveConfiguration.DEBT_CEILING_DECIMALS)).toUint128();The calculation assumes that getDecimals() for the reserve and DEBT_CEILING_DECIMALS will align correctly for every isolated asset. If there is a mismatch in decimals or if the borrowed amount is not properly scaled, the isolationModeTotalDebt can be incorrectly calculated, allowing users to bypass the debt ceiling.
- The reserve is configured in isolation mode with a defined
debt ceiling. - The user borrows an amount that exceeds the scaled ceiling when miscalculated.
- The isolated asset has a mismatch between its internal decimals and the expected
DEBT_CEILING_DECIMALS.
- User borrows an amount in isolation mode with a large enough value to exploit the miscalculation.
- The protocol updates
isolationModeTotalDebtwith an incorrectly scaled value due to decimal mismatch. - The attacker repeats the process to borrow more than the actual debt ceiling, potentially draining the protocol's reserves.
The protocol reserves for isolated assets are over-utilized, bypassing intended risk controls. Depositors are exposed to significant risks as reserves may be depleted due to excessive borrowing.
Ensure proper scaling of params.amount by verifying and aligning decimals explicitly.