in liquidatePosition()
At the end of the liquidation, the liquidation fee will be transferred to the liquidator.
function liquidatePosition(
DataStruct.ClosePositionParams calldata params,
address borrower
) external override nonReentrant {
...
liquidateCache.liquidationRewardFrom =
((closeCache.tokenFromPremium) * LIQUIDATION_REWARD_FACTOR) /
uint128(Base.BASIS_POINT);
liquidateCache.liquidationRewardTo =
((closeCache.tokenToPremium) * LIQUIDATION_REWARD_FACTOR) /
uint128(Base.BASIS_POINT);
closeCache.tokenFromPremium -= liquidateCache.liquidationRewardFrom;
closeCache.tokenToPremium -= liquidateCache.liquidationRewardTo;
delete liens[lienKey];
// execute actual position closing
_closePosition(params, closeCache, lien, borrower);
// reward liquidator
@> TransferHelper.safeTransfer(closeCache.tokenFrom, msg.sender, liquidateCache.liquidationRewardFrom);
@> TransferHelper.safeTransfer(closeCache.tokenTo, msg.sender, liquidateCache.liquidationRewardTo);
emit LiquidatePosition(borrower, lien.tokenId, closeCache.amountFromAdd, closeCache.amountToAdd);
}
The problem with the above code is that when transferring to the liquidator, it does not judge whether liquidationRewardFrom/ liquidationRewardTo is greater than 0.
Some tokens will revert when the transfer quantity is 0 (e.g. LEND).
<https://github.com/d-xo/weird-erc20/?tab=readme-ov-file#revert-on-zero-value-transfers>
In this way, a malicious borrower can deliberately keep token0PremiumPortion/token1PremiumPortion at 0 or very small amount
when openPosition(), causing liquidationRewardFrom/ liquidationRewardTo to always be 0, causing this method liquidatePosition() to always fail and cannot be executed.
When the transfer quantity of some tokens is 0, it will revert.
In pools that include such tokens, malicious borrowers can control tokenPremiumPortion==0 to prevent forced liquidation.
function liquidatePosition(
DataStruct.ClosePositionParams calldata params,
address borrower
) external override nonReentrant {
+ if (liquidateCache.liquidationRewardFrom>0){
TransferHelper.safeTransfer(closeCache.tokenFrom, msg.sender, liquidateCache.liquidationRewardFrom);
+ }
+ if (liquidateCache.liquidationRewardTo>0){
TransferHelper.safeTransfer(closeCache.tokenTo, msg.sender, liquidateCache.liquidationRewardTo);
+ }
emit LiquidatePosition(borrower, lien.tokenId, closeCache.amountFromAdd, closeCache.amountToAdd);
}
ERC20
The text was updated successfully, but these errors were encountered:
All reactions