Lines of code
<https://github.com/code-423n4/2023-12-initcapital/blob/a53e401529451b208095b3af11862984d0b32177/contracts/core/PosManager.sol#L308>
Should count pending harvest reward and already harvested reward as collateral credit if the collateral is WLP
User can use WLP as collateral, even use WLP purely as collateral to borrow fund from lending pool
the collateral worth of WLP is calculated before
uint wLpPrice_e36 = IBaseWrapLp(wLps[i]).calculatePrice_e36(ids[i][j], _oracle);
if user collateralize using WLP
and then decollateralize to remove WLP
the code will harvest the reward, then the nft position can claim the reward
all these logic is in the function removeCollateralWLPTo and calling _harvest
the logic to harvest reward is here
function _harvest(uint _posId, address _wlp, uint _tokenId) internal {
(address[] memory tokens, uint[] memory amts) = IBaseWrapLp(_wlp).harvest(_tokenId, address(this));
for (uint i; i < tokens.length; i = i.uinc()) {
pendingRewards[_posId][tokens[i]] += amts[i];
}
}
then position owner can call claimPendingRewards to claim the harvested reward
while this approach ensures that the orignial LP owner can have access to the pending reward (such as fee as liquidity provider)
the harvested reward or pending harvested reward does not count towards user collateral credit because only the function
uint wLpPrice_e36 = IBaseWrapLp(wLps[i]).calculatePrice_e36(ids[i][j], _oracle);
is called and the code does not query struct pendingRewards
this results in userβs collateral worth being undercounted and undervalued and the user can be liquidated unfairly
Manual Review
make sure count pending harvest reward and already harvested reward as collateral credit if the collateral is WLP
Token-Transfer
The text was updated successfully, but these errors were encountered:
All reactions