Code4renaCODE423N4:2022-10-INVERSE-FINDINGS-ISSUES-362Liquidatin function does not consider cases where the liquidate user does not have enough collateral to pay.
Vulnerability details
Impact
Liquidatin function does not consider cases where the liquidate user does not have enough collateral to pay.
#Proof of Concept
The problem is the paid collateral in determined by repaid_debt: (I ingnored decimals for simplifcation of the formulas I’m gonna present).
paid_collateral = (1 +liquidationIncentiveBps) * repaidDebt.
We of course want that paid_collateral < getCollateralValueInternal() so the user liquidate user willbe able to pay the reward.
Which means : (1 +liquidationIncentiveBps) * repaidDebt < getCollateralValueInternal() which implies: repaidDebt < getCollateralValueInternal() / (1 +liquidationIncentiveBps).
There is not such requirement in the liquidation() funciton, Thus there are cases when the liquidate user won’t be able to pay the colateral reward and the function would rever.(Note that there’s a check about repaidDebt: require(repaidDebt <= debt * liquidationFactorBps / 10000, “Exceeded liquidation factor”); but it is not garunte that the wanted condition would also hold.)
Tools Used
Manual audit.
Recommended Mitigation Steps
Check cases where repaidDebt > getCollateralValueInternal() / (1 +liquidationIncentiveBps) and in those cases change repaidDebt
to be Min(getCollateralValueInternal/(1+liquidationIncentiveBps), debt * liquidationFactorBps).
This is also done by aave in v3:
<https://github.com/aave/aave-v3-core/blob/master/contracts/protocol/libraries/logic/LiquidationLogic.sol#L511>
The text was updated successfully, but these errors were encountered:
All reactions