Curved Inky Ram
Medium
The protocol aims to restrict the activation of isolated assets as collateral to authorized users only—specifically, those with the ISOLATED_COLLATERAL_SUPPLIER_ROLE. However, due to a missing access control check in the validateSetUseReserveAsCollateral function, any user can explicitly enable an isolated asset as collateral
Only authorized users with the ISOLATED_COLLATERAL_SUPPLIER_ROLE can enable isolated assets (assets with a debt ceiling) as collateral.
This invariant ensures that the protocol maintains proper risk management for isolated assets. By restricting who can activate such assets as collateral, the protocol can prevent unintended exposure and maintain the effectiveness of isolation mode constraints.
function validateAutomaticUseAsCollateral( mapping(address => DataTypes.ReserveData) storage reservesData, mapping(uint256 => address) storage reservesList, DataTypes.UserConfigurationMap storage userConfig, DataTypes.ReserveConfigurationMap memory reserveConfig, address aTokenAddress ) internal view returns (bool) { if (reserveConfig.getDebtCeiling() != 0) { // Ensures only the ISOLATED_COLLATERAL_SUPPLIER_ROLE can enable collateral as side-effect of an action IPoolAddressesProvider addressesProvider = IncentivizedERC20(aTokenAddress) .POOL() .ADDRESSES_PROVIDER(); if ( !IAccessControl(addressesProvider.getACLManager()).hasRole( ISOLATED_COLLATERAL_SUPPLIER_ROLE, msg.sender ) ) return false; } return validateUseAsCollateral(reservesData, reservesList, userConfig, reserveConfig); }
Checks if the asset has a debt ceiling (i.e., it's an isolated asset). If it does, it ensures that only users with the ISOLATED_COLLATERAL_SUPPLIER_ROLE can automatically use the asset as collateral (e.g., during supply or transfer operations).
function validateSetUseReserveAsCollateral( DataTypes.ReserveCache memory reserveCache, uint256 userBalance ) internal pure { require(userBalance != 0, Errors.UNDERLYING_BALANCE_ZERO);
(bool isActive, , , bool isPaused) = reserveCache.reserveConfiguration.getFlags();
require(isActive, Errors.RESERVE_INACTIVE);
require(!isPaused, Errors.RESERVE_PAUSED);
}
Validates general conditions for setting an asset as collateral. Does not check whether the asset is isolated or whether the user has the ISOLATED_COLLATERAL_SUPPLIER_ROLE.
The problem arises because while automatic collateral activation is restricted for isolated assets, explicit collateral activation by the user is not. This means that a user can call the setUserUseReserveAsCollateral function and, through validateSetUseReserveAsCollateral, enable an isolated asset as collateral without possessing the necessary role.
Users can explicitly enable an asset as collateral by calling the setUserUseReserveAsCollateral function. This function invokes validateSetUseReserveAsCollateral, which lacks any access control checks related to isolated assets.
No response
No response
Access control is only enforced during automatic collateral activation (validateAutomaticUseAsCollateral). Explicit collateral activation (validateSetUseReserveAsCollateral) lacks the necessary checks.
Any user can enable isolated assets as collateral, bypassing the intended role-based access control.
No response
Enforce Access Control in validateSetUseReserveAsCollateral
Modify the validateSetUseReserveAsCollateral function to include the same access control checks as validateAutomaticUseAsCollateral for isolated assets.