Lines of code
<https://github.com/code-423n4/2023-05-venus/blob/8be784ed9752b80e6f1b8b781e2e6251748d0d7e/contracts/Shortfall/Shortfall.sol#L381>
When swapping Risk funds in a pool swapPoolsAssets(address[],uint256[],address[][]) from one market underlying asset type to convertibleBaseAsset , only a limited selected markets are supplied as input parameter.
function swapPoolsAssets(
address[] calldata markets,
uint256[] calldata amountsOutMin,
address[][] calldata paths
) external override returns (uint256) {
...
But when auctioning off pool bad debts, every marketβs bad debt in the pools are calculated to form poolBadDebt which is a total of all bad debts in the pool. Additionally, when auctioning off bad debt in Shortfall contract, there is no check for pool reserves staleness:
function _startAuction(address comptroller) internal {
...
uint256 riskFundBalance = riskFund.poolReserves(comptroller); // @audit pool reserves may be stale
uint256 remainingRiskFundBalance = riskFundBalance;
uint256 incentivizedRiskFundBalance = poolBadDebt + ((poolBadDebt * incentiveBps) / MAX_BPS);
if (incentivizedRiskFundBalance >= riskFundBalance) {
auction.startBidBps =
(MAX_BPS * MAX_BPS * remainingRiskFundBalance) /
(poolBadDebt * (MAX_BPS + incentiveBps));
remainingRiskFundBalance = 0;
auction.auctionType = AuctionType.LARGE_POOL_DEBT;
} else {
uint256 maxSeizeableRiskFundBalance = incentivizedRiskFundBalance;
remainingRiskFundBalance = remainingRiskFundBalance - maxSeizeableRiskFundBalance;
auction.auctionType = AuctionType.LARGE_RISK_FUND;
auction.startBidBps = MAX_BPS;
}
This makes every auction using more or less stale pool reserves, which basically means looses for the protocol.
Manual analysis
All assets reserved from each market in a pool should be used when swapping to convertibleBaseAsset, and validation should check that all markets in the pool is available in the markets input. So also meaning a comptroller address input should be passed as input to check against the markets own comptroller address to make sure they of all same pool in swapPoolsAssets(address[],uint256[],address[][]). Additionally, please consider adding stalessness check.
Other
The text was updated successfully, but these errors were encountered:
All reactions