Lucene search

K
code423n4Code4renaCODE423N4:2023-07-POOLTOGETHER-FINDINGS-ISSUES-387
HistoryJul 14, 2023 - 12:00 a.m.

The output amount validation in Vault.liquidate() is not correct.

2023-07-1400:00:00
Code4rena
github.com
6
vulnerability
impact
proof of concept
validation
mitigation
error

Lines of code

Vulnerability details

Impact

The output amount validation is not correct in Vault.liquidate(), so the method might accept invalid output amount and refuse valid output amount.

Proof of Concept

In Vault.liquidate(), there is a validation about the output share amount should be less than or equal to the liquidatable yield.

    uint256 _liquidableYield = _liquidatableBalanceOf(_tokenOut);
    if (_amountOut > _liquidableYield) 
      revert LiquidationAmountOutGTYield(_amountOut, _liquidableYield); 

The liquidatable yield amount is in underlying asset token. So the comparison between the share amount and the underlying asset amount is not appropriate.

We could get share tokens from asset tokens via exchange rate. The vault gets _liquidableYield and mints _amountOut, so the correct asset amount equivalent to _amountOut of the share token will be _amountOut * exchange rate. The correct validation should use the asset amount and the current implementation is not correct when the exchange rate is not 1.

Tools Used

Manual Review

Recommended Mitigation Steps

We should use the underlying equivalent with the exchange rate for the validation.

Assessed type

Error


The text was updated successfully, but these errors were encountered:

All reactions