Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-10-INVERSE-FINDINGS-ISSUES-503
HistoryOct 30, 2022 - 12:00 a.m.

Liquidator is paid too much

2022-10-3000:00:00
Code4rena
github.com
3
liquidator
overpaid
vulnerability
calculation
mitigation
code inspection
JSON

Lines of code

Vulnerability details

Impact

Liquidator is paid (1 + liquidationIncentive) * repaidDebt, instead of liquidationIncentive * repaidDebt.

Proof of Concept

liquidatorReward is currently calculated in Market.liquidate() as follows:

uint liquidatorReward = repaidDebt * 1 ether / price;
liquidatorReward += liquidatorReward * liquidationIncentiveBps / 10000;

The second line adds the intended fee on top of the entire repaid dept because of the += instead of an =, and uses this as the liquidator reward.

Tools Used

Code inspection

Recommended Mitigation Steps

Change Market.sol#L598 from
liquidatorReward += liquidatorReward * liquidationIncentiveBps / 10000;
into
liquidatorReward = liquidatorReward * liquidationIncentiveBps / 10000;.
Or, for consistency with the liquidation fee calculation at L606, just calculate everything directly:
uint liquidatorReward = repaidDebt * 1 ether / price * liquidationIncentiveBps / 10000;.

The text was updated successfully, but these errors were encountered:

All reactions

JSON