UserManager.updateFrozenInfo cannot be called from UToken
twicek security
UserManager.updateFrozenInfo cannot be called from UToken
UserManager.updateFrozenInfo cannot be called from UTokenSummary
The new version of the contract doesn't allow
UserManager.updateFrozenInfo to be called from UToken. Hence, if a borrower is overdue he will not be able to call UToken._repayBorrowFresh to repay his principal.Vulnerability Detail
When
UToken._repayBorrowFresh is called with an overdue borrower as borrower, the call to UToken._repayBorrowFresh will always revert if repayAmount >= interest because updateFrozenInfo is called on the UserManager contract: if (isOverdue) {
// For borrowers that are paying back overdue balances we need to update their
// frozen balance and the global total frozen balance on the UserManager
IUserManager(userManager).updateFrozenInfo(borrower, 0);
But
UserManager.updateFrozenInfo cannot be called from the UToken contract. Only the Comptroller contract can call this function: function updateFrozenInfo(address staker, uint256 pastBlocks) external onlyComptroller returns (uint256, uint256) {
return _updateFrozen(staker, pastBlocks);
}
Impact
When a borrower is overdue he will not be able to repay is principal. Any call to
UToken._repayBorrowFresh with repayAmount >= interest will revert.Code Snippet
IUserManager(userManager).updateFrozenInfo(borrower, 0);
function updateFrozenInfo(address staker, uint256 pastBlocks) external onlyComptroller returns (uint256, uint256) {
Tool used
Manual Review
Recommendation
Add access for the
UToken contract to UserManager.updateFrozenInfo by using this modifier: modifier onlyMarketOrComptroller() {
if (address(uToken) != msg.sender && address(comptroller) != msg.sender) revert AuthFailed();
_;
}
Like this project
Posted Jul 12, 2023
Union Finance V2 Sherlock's contest: UserManager.updateFrozenInfo cannot be called from UToken
Likes
0
Views
12
