Lines of code
<https://github.com/code-423n4/2023-12-initcapital/blob/a53e401529451b208095b3af11862984d0b32177/contracts/core/PosManager.sol#L308&gt;

Vulnerability details

Impact

Should count pending harvest reward and already harvested reward as collateral credit if the collateral is WLP

Proof of Concept

User can use WLP as collateral, even use WLP purely as collateral to borrow fund from lending pool

the collateral worth of WLP is calculated before

 uint wLpPrice_e36 = IBaseWrapLp(wLps[i]).calculatePrice_e36(ids[i][j], _oracle);

if user collateralize using WLP

and then decollateralize to remove WLP

the code will harvest the reward, then the nft position can claim the reward

all these logic is in the function removeCollateralWLPTo and calling _harvest

the logic to harvest reward is here

 function _harvest(uint _posId, address _wlp, uint _tokenId) internal {
        (address[] memory tokens, uint[] memory amts) = IBaseWrapLp(_wlp).harvest(_tokenId, address(this));
        for (uint i; i < tokens.length; i = i.uinc()) {
            pendingRewards[_posId][tokens[i]] += amts[i];
        }
    }

then position owner can call claimPendingRewards to claim the harvested reward

while this approach ensures that the orignial LP owner can have access to the pending reward (such as fee as liquidity provider)

the harvested reward or pending harvested reward does not count towards user collateral credit because only the function

 uint wLpPrice_e36 = IBaseWrapLp(wLps[i]).calculatePrice_e36(ids[i][j], _oracle);

is called and the code does not query struct pendingRewards

this results in user’s collateral worth being undercounted and undervalued and the user can be liquidated unfairly

Tools Used

Manual Review

Recommended Mitigation Steps

make sure count pending harvest reward and already harvested reward as collateral credit if the collateral is WLP

Assessed type

Token-Transfer

---

The text was updated successfully, but these errors were encountered:

All reactions