Revert Lend Mitigation Review details

• Total Prize Pool: $23,500 in USDC
  • HM awards: $21,150
  • Judge awards: $2,350
• Warden guidelines for C4 mitigation reviews
• Submit findings using the C4 form
• Starts April 19, 2024 20:00 UTC
• Ends April 29, 2024 20:00 UTC

Important note

Each warden must submit a mitigation review for every individual PR listed in the Scope section below. Incomplete mitigation reviews will not be eligible for awards.

Findings being mitigated

Mitigations of all High and Medium issues will be considered in-scope and listed here.

• H-01: V3Vault.sol permit signature does not check receiving token address is USDC

• H-02: Risk of reentrancy onERC721Received function to manipulate collateral token configs shares

• H-03: V3Vault::transform does not validate the data input and allows a depositor to exploit any position approved on the transformer

• H-04: V3Utils.execute() does not have caller validation, leading to stolen NFT positions from users

• H-05: _getReferencePoolPriceX96() will show incorrect price for negative tick deltas in current implementation cause it doesn't round up for them

• H-06: Owner of a position can prevent liquidation due to the 'onERC721Received' callback

• M-01: An attacker can easily bypass the collateral value limit factor checks

• M-02: Protocol can be repeatedly gas griefed in AutoRange external call

• M-03: No minLoanSize means liquidators will have no incentive to liquidate small positions

• M-04: Due to interest rates update method, Interest-Free Loans are possible and the Cost of DoS are reduced

• M-05: setReserveFactor fails to update global interest before updating reserve factor

• M-06: Users can lend and borrow above allowed limitations

• M-07: Large decimal of referenceToken causes overflow at oracle price calculation

• M-08: DailyLendIncreaseLimitLeft and dailyDebtIncreaseLimitLeft are not adjusted accurately.

• M-09: Liquidation reward sent to msg.sender instead of recipient

• M-10: Users's tokens stuck in AutoCompound after Vault is deactivated.

• M-11: Lack of safety buffer in _checkLoanIsHealthy could subject users who take out the max loan into a forced liquidation

• M-12: Wrong global lending limit check in _deposit function

• M-13: User might execute PositionToken of token set by previous token owner.

• M-14: V3Vault is not ERC-4626 compliant

• M-15: Users' newly created positions can be prematurely closed and removed from the vault directly after they are created

• M-16: Repayments and liquidations can be forced to revert by an attacker that repays miniscule amount of shares

• M-17: AutoExit could receive a reward calculated from the entire position's fund even if onlyFee is true in AutoExit.execute().

• M-18: Users cannot stop loss in AutoRange and AutoExit

• M-19: V3Oracle susceptible to price manipulation

• M-20: Tokens can't be removed as a collateral without breaking liquidations and other core functions

• M-21: Dangerous use of deadline parameter

• M-22: dailyDebtIncreaseLimitLeft is not updated in liquidate().

• M-23: AutoRange execution can be front-ran to avoid protocol fee, causing loss for protocol

• M-24: Incorrect liquidation fee calculation during underwater liquidation, disincentivizing liquidators to participate

• M-25: Asymmetric calculation of price difference

Scope

Branch

https://github.com/revert-finance/lend/tree/audit

Mitigation of High & Medium Severity Issues

Wherever possible, mitigations should be provided in separate pull requests, one per issue. If that is not possible (e.g. because several audit findings stem from the same core problem), then please link the PR to all relevant issues in your findings repo.

Additional scope to be reviewed

These are additional changes that will be in scope.

Out of Scope

Please list any High and Medium issues that were judged as valid but you have chosen not to fix.