'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Blackhan Software Disclosed Report
Audit report 
Target
https://github.com/blackhan-software/xpower-banq/tree/5f734cc14fd05afcf7ee221de0bb600f8ca2339c
Vulnerability Details
_settle function of the Pool contract that lets users reduce their debt by more than the actual assets they deposit into the Vault. this happens because the burn function uses amount instead of assets, and when the Vault has an entry fee, it causes a collateral shortage, bankrupting the vault. github : https://github.com/blackhan-software/xpower-banq/blob/5f734cc14fd05afcf7ee221de0bb600f8ca2339c/source/contract/Pool.sol#L382 code :
function _settle(
address user,
IERC20 token,
uint256 amount
) private returns (uint256 assets) {
IVault vault = _vault[token];
token.safeTransferFrom(user, address(this), amount);
assert(token.approve(address(vault), amount));
uint256 shares = vault.deposit(amount, address(this));
assets = vault.convertToAssets(shares);
vault.borrow().burn(user, amount, false); // bug: should use assets, not amount
require(assets > 0, EmptySettle(user, token, amount));
}
line vault.borrow().burn(user, amount, false) is wrong. it burns amount (the tokens transferred) instead of assets (the actual value added to the Vault after fees). Vault can have an entry fee (handled by _entryFee()), so assets is less than amount. for example, if a user deposits 100 tokens with a 1% fee, assets is 99, but burn reduces the debt by 100. this over-reduces the user’s debt, leaving the Vault undercollateralized. over time, the Vault loses assets compared to recorded debts, leading to insolvency.
fix : update the _settle function to burn assets instead of amount
Validation steps
foundry:
function test_incorrect_debt_settlement() public {
// user borrows 100 tokens
uint256 borrowamount = 100 * 10**token.decimals();
pool.borrow(token, borrowamount, false, IFlash(address(0)), "");
// user settles with 100 tokens, vault has 1% entry fee
uint256 settleamount = 100 * 10**token.decimals();
uint256 assets = pool.settle(token, settleamount);
// debt reduced by 100, but vault only got 99
uint256 debt = vault.borrow().totalOf(user);
assert(debt == 0); // debt fully cleared, vault undercollateralized
}
Attachments
hidden 
Comments on this report are hidden 
Details 
Participants (3) 
