From 0a58e714bfe28d28dc1e9d8e689b22b378fa629c Mon Sep 17 00:00:00 2001 From: emilio Date: Tue, 15 Jun 2021 18:38:51 +0200 Subject: [PATCH 1/2] feat: added isContract() check on rebalanceStableBorrowRate() --- contracts/protocol/lendingpool/LendingPool.sol | 5 +++++ contracts/protocol/libraries/helpers/Errors.sol | 1 + 2 files changed, 6 insertions(+) diff --git a/contracts/protocol/lendingpool/LendingPool.sol b/contracts/protocol/lendingpool/LendingPool.sol index fbf9a2b0..2c91fb5a 100644 --- a/contracts/protocol/lendingpool/LendingPool.sol +++ b/contracts/protocol/lendingpool/LendingPool.sol @@ -26,6 +26,7 @@ import {ReserveConfiguration} from '../libraries/configuration/ReserveConfigurat import {UserConfiguration} from '../libraries/configuration/UserConfiguration.sol'; import {DataTypes} from '../libraries/types/DataTypes.sol'; import {LendingPoolStorage} from './LendingPoolStorage.sol'; +import {Address} from '../../dependencies/openzeppelin/contracts/Address.sol'; /** * @title LendingPool contract @@ -50,6 +51,7 @@ contract LendingPool is VersionedInitializable, ILendingPool, LendingPoolStorage using PercentageMath for uint256; using SafeERC20 for IERC20; using ReserveLogic for DataTypes.ReserveCache; + using Address for address; uint256 public constant LENDINGPOOL_REVISION = 0x2; @@ -326,6 +328,9 @@ contract LendingPool is VersionedInitializable, ILendingPool, LendingPoolStorage * @param user The address of the user to be rebalanced **/ function rebalanceStableBorrowRate(address asset, address user) external override whenNotPaused { + + require(!address(msg.sender).isContract(), Errors.LP_CALLER_NOT_EOA); + DataTypes.ReserveData storage reserve = _reserves[asset]; DataTypes.ReserveCache memory reserveCache = reserve.cache(); diff --git a/contracts/protocol/libraries/helpers/Errors.sol b/contracts/protocol/libraries/helpers/Errors.sol index 4b0644f5..e0fea7bb 100644 --- a/contracts/protocol/libraries/helpers/Errors.sol +++ b/contracts/protocol/libraries/helpers/Errors.sol @@ -112,6 +112,7 @@ library Errors { string public constant RL_ATOKEN_SUPPLY_NOT_ZERO = '88'; string public constant RL_STABLE_DEBT_NOT_ZERO = '89'; string public constant RL_VARIABLE_DEBT_SUPPLY_NOT_ZERO = '90'; + string public constant LP_CALLER_NOT_EOA = '91'; enum CollateralManagerErrors { NO_ERROR, From cce28ab4ea3f6cdd5cb73dd3e41921dc9ea25cc1 Mon Sep 17 00:00:00 2001 From: emilio Date: Tue, 15 Jun 2021 18:56:38 +0200 Subject: [PATCH 2/2] refactor: moved check to validateRebalanceStableBorrowRate --- contracts/protocol/lendingpool/LendingPool.sol | 4 ---- contracts/protocol/libraries/logic/ValidationLogic.sol | 8 +++++++- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/contracts/protocol/lendingpool/LendingPool.sol b/contracts/protocol/lendingpool/LendingPool.sol index 2c91fb5a..a219e8fc 100644 --- a/contracts/protocol/lendingpool/LendingPool.sol +++ b/contracts/protocol/lendingpool/LendingPool.sol @@ -26,7 +26,6 @@ import {ReserveConfiguration} from '../libraries/configuration/ReserveConfigurat import {UserConfiguration} from '../libraries/configuration/UserConfiguration.sol'; import {DataTypes} from '../libraries/types/DataTypes.sol'; import {LendingPoolStorage} from './LendingPoolStorage.sol'; -import {Address} from '../../dependencies/openzeppelin/contracts/Address.sol'; /** * @title LendingPool contract @@ -51,7 +50,6 @@ contract LendingPool is VersionedInitializable, ILendingPool, LendingPoolStorage using PercentageMath for uint256; using SafeERC20 for IERC20; using ReserveLogic for DataTypes.ReserveCache; - using Address for address; uint256 public constant LENDINGPOOL_REVISION = 0x2; @@ -329,8 +327,6 @@ contract LendingPool is VersionedInitializable, ILendingPool, LendingPoolStorage **/ function rebalanceStableBorrowRate(address asset, address user) external override whenNotPaused { - require(!address(msg.sender).isContract(), Errors.LP_CALLER_NOT_EOA); - DataTypes.ReserveData storage reserve = _reserves[asset]; DataTypes.ReserveCache memory reserveCache = reserve.cache(); diff --git a/contracts/protocol/libraries/logic/ValidationLogic.sol b/contracts/protocol/libraries/logic/ValidationLogic.sol index 26388f46..7f64887a 100644 --- a/contracts/protocol/libraries/logic/ValidationLogic.sol +++ b/contracts/protocol/libraries/logic/ValidationLogic.sol @@ -20,6 +20,7 @@ import {IScaledBalanceToken} from '../../../interfaces/IScaledBalanceToken.sol'; import {IAToken} from '../../../interfaces/IAToken.sol'; import {DataTypes} from '../types/DataTypes.sol'; import {IPriceOracleGetter} from '../../../interfaces/IPriceOracleGetter.sol'; +import {Address} from '../../../dependencies/openzeppelin/contracts/Address.sol'; /** * @title ReserveLogic library @@ -34,6 +35,7 @@ library ValidationLogic { using SafeERC20 for IERC20; using ReserveConfiguration for DataTypes.ReserveConfigurationMap; using UserConfiguration for DataTypes.UserConfigurationMap; + using Address for address; uint256 public constant REBALANCE_UP_LIQUIDITY_RATE_THRESHOLD = 4000; uint256 public constant REBALANCE_UP_USAGE_RATIO_THRESHOLD = 0.95 * 1e27; //usage ratio of 95% @@ -283,7 +285,7 @@ library ValidationLogic { /** * @dev Validates a swap of borrow rate mode. * @param reserve The reserve state on which the user is swapping the rate - * @param reserveCache The cached data of the reserve + * @param reserveCache The cached data of the reserve * @param userConfig The user reserves configuration * @param stableDebt The stable debt of the user * @param variableDebt The variable debt of the user @@ -345,6 +347,10 @@ library ValidationLogic { IERC20 variableDebtToken, address aTokenAddress ) external view { + + // to avoid potential abuses using flashloans, the rebalance stable rate must happen through an EOA + require(!address(msg.sender).isContract(), Errors.LP_CALLER_NOT_EOA); + (bool isActive, , , , bool isPaused) = reserveCache.reserveConfiguration.getFlagsMemory(); require(isActive, Errors.VL_NO_ACTIVE_RESERVE);