Welcome to Sherlock's Vulnerability Spotlight! Each week, we will highlight an impactful vulnerability our researchers uncovered during a Sherlock audit.
This week we have an excessive withdrawal via misconfiguration.
It was found by @bin2chen, @TheCHADuke, iglyx, @tapired, @xiaoming9090, and @0xleastwood in the @NotionalFinance V3 contest.
If the currentBalance is 999,900 USDC and the withdrawAmountExternal is 1,000,000 USDC, then there is insufficient balance in the contract, and additional funds need to be withdrawn from the money market (e.g., Compound).
Since the contract already has 999,900 USDC, only an additional 100 USDC needs to be withdrawn from the money market to fulfill the withdrawal request of 1,000,000 USDC
However, instead of withdrawing 100 USDC from the money market, Notional withdraws 1,000,000 USDC from the market as per the oracle.getRedemptionCalldata(withdrawAmountExternal) function. As a result, an excess of 999,900 USDC is being withdrawn from the money market.
What’s the impact?
This led to an excessive amount of assets idling in Notional and not generating any returns or interest in the money market, which led to significant loss of yield for the users as they would receive a lower interest rate than expected and incur opportunity loss.
Attackers could potentially abuse this to pull the funds Notional invested in the money market, leading to griefing and staggering loss of returns/interest for the protocol.
The Fix:
Essentially, before the fix, the code was saying to the oracle: "Prepare steps to withdraw everything the user wants from the money market."
When it should have said, "Only pull what we’re missing from the money market."
After the fix, for the earlier example, the 999,900 USDC already held by the contract stays untouched and continues earning yield, improving efficiency, and preserving returns for all users.
This vulnerability stemmed from a subtle logic flaw in how withdrawal amounts were calculated and passed. By overlooking the contract’s existing balance, the system unnecessarily pulled excessive funds from the money market, leading to capital inefficiency and yield loss.
We are proud to have helped secure Notional through this discovery. When it absolutely needs to be secure, Sherlock is the right choice.
2.45K
30
The content on this page is provided by third parties. Unless otherwise stated, OKX TR is not the author of the cited article(s) and does not claim any copyright in the materials. The content is provided for informational purposes only and does not represent the views of OKX TR. It is not intended to be an endorsement of any kind and should not be considered investment advice or a solicitation to buy or sell digital assets. To the extent generative AI is utilized to provide summaries or other information, such AI generated content may be inaccurate or inconsistent. Please read the linked article for more details and information. OKX TR is not responsible for content hosted on third party sites. Digital asset holdings, including stablecoins and NFTs, involve a high degree of risk and can fluctuate greatly. You should carefully consider whether trading or holding digital assets is suitable for you in light of your financial condition.