Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Voyage>Low findings>The maxWithdraw functionality is broken
GeneralOverview
Findings
Critical (7)
High (6)
Medium (3)
Low (5)Broken maxWithdrawPreviewBuyNow incorrect orderBlanket ERC20 approvalJunior IR interestERC20 transfer validation
Informational (1)
DiscussionCentralization riskCode maturitySlitherOracle hardeningVoyage findingsNeedsTitle
Audit ResultsSummary
Category: Business Logic

The maxWithdraw functionality is broken

Low Severity
Low Impact
High Likelihood

Description

Depositors will be unable to use the intended maxWithdraw functionality in withdraw(...):

uint256 userBalance = vToken.maxWithdraw(msg.sender);
uint256 amountToWithdraw = _amount;
if (_amount == type(uint256).max) {
    amountToWithdraw = userBalance;
}
BorrowState storage borrowState = LibAppStorage.ds()._borrowState[
    _collection
][reserve.currency];
uint256 totalDebt = borrowState.totalDebt + borrowState.totalInterest;
uint256 avgBorrowRate = borrowState.avgBorrowRate;
IVToken(vToken).withdraw(_amount, msg.sender, msg.sender);

Impact

Users will need to make withdraw requests for exact amounts in order to retrieve all of their deposited funds. If the _amount provided in the function call exceeds the available balance, the function will fail with no clear error message. This can create a frustrating and unexpected user experience.

Recommendations

Change

IVToken(vToken).withdraw(_amount, msg.sender, msg.sender);

to

IVToken(vToken).withdraw(amountToWithdraw, msg.sender, msg.sender);

Also, modify the _amount check to the following:

if (_amount == type(uint256).max || _amount > userBalance) {
    amountToWithdraw = userBalance;
}

Remediation

Commits aac23ae9 and 0e00c990 were indicated as containing the remediation. The commits correctly fix the issue by applying the suggested remediations.

Zellic © 2023Back to top ↑