Shield - Attacker can force a user to enter a market

[sherlock-admin3]

Shield

medium

Attacker can force a user to enter a market

Summary

Vulnerability Detail

• Whenever a user borrows (even a zero borrow) they are entered into the market
• There's no check on borrow() to verify that the borrow amount isn't zero.
• Since borrowing a zero amount doesn't require any allowance, anybody can call borrow() with zero amount using any receiver as borrower
• This leads to the fact that anybody can force anybody to enter into any market

Consider the following scenario:

• Bob has assets in the USDC, and DAI market
• They approved Alice to borrow on their behalf on the ETH market
• They entered the USDC market, but not the DAI market
• Alice now wants to use Bob's DAI collateral to take a loan, so she forces him to enter the market with a zero-borrow
• Alice took a loan using collateral she wasn't supposed to use according to the protocol's design, causing a loss of assets to Bob

Impact

Users are forced to enter market and use their assets as collateral.
This allows users who're approved to borrow on other markets to borrow on their behalf using assets they didn't intend to use as collateral.

Code Snippet

No zero check here:
https://github.com/sherlock-audit/2024-04-interest-rate-model/blob/main/protocol/contracts/Market.sol#L140-L145

PoC:
Add the following to protocol/test/Market.t.sol

import { console2} from "forge-std/console2.sol";

  function testForceEnter_POC() external {
    address bob = address(0xbab);
    uint marketsBefore = auditor.accountMarkets(bob);
    market.borrow(0, address(this), bob);
    uint marketsAfter = auditor.accountMarkets(bob);

    console2.log("before:", marketsBefore);
    console2.log("after:", marketsAfter);
  }

Ouptut:

Ran 1 test for test/Market.t.sol:MarketTest
[PASS] testForceEnter_POC() (gas: 162091)
Logs:
  before 0
  after 1

Tool used

Manual Review

Recommendation

Revert on zero borrows

Duplicate of #76