Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-12-PARTICLE-FINDINGS-ISSUES-52
HistoryDec 21, 2023 - 12:00 a.m.

Modifying the loan term setting can default existing loans

2023-12-2100:00:00
Code4rena
github.com
3
loan term modification
default loans
liquidation condition
protocol admins
position liquidation
code vulnerability
loan term value
existing positions
original loan term
security recommendation

6.8 Medium

AI Score

Confidence

Low

JSON

Lines of code

Vulnerability details

Summary

Protocol admins can modify the loan term settings. This action can inadvertently default existing loans created under different terms.

Impact

Positions in the Particle LAMM protocol are created for a configurable period of time, defined by the LOAN_TERM variable. If the loan exceeds this duration, and the LP owner stops renewals that affect their position, the lien can be liquidated.

<https://github.com/code-423n4/2023-12-particle/blob/a3af40839b24aa13f5764d4f84933dbfa8bc8134/contracts/protocol/ParticlePositionManager.sol#L358-L368&gt;

358:         // check for liquidation condition
359:         ///@dev the liquidation condition is that
360:         ///     (EITHER premium is not enough) OR (cutOffTime &gt; startTime AND currentTime &gt; startTime + LOAN_TERM)
361:         if (
362:             !((closeCache.tokenFromPremium &lt; liquidateCache.tokenFromOwed ||
363:                 closeCache.tokenToPremium &lt; liquidateCache.tokenToOwed) ||
364:                 (lien.startTime &lt; lps.getRenewalCutoffTime(lien.tokenId) &&
365:                     lien.startTime + LOAN_TERM &lt; block.timestamp))
366:         ) {
367:             revert Errors.LiquidationNotMet();
368:         }

The liquidation condition in line 365 does the check using the current value of LOAN_TERM. As the loan term can be updated using updateLoanTerm(), this means that reducing this value may inadvertently cause the liquidation of existing positions that were originally intended for a longer period of time.

Proof of concept

Let’s say the current configured loan term in ParticlePositionManager is 2 weeks.

  1. A user creates a new position, expecting it to last at least 2 weeks.
  2. The owner of the LP calls reclaimLiquidity() to stop it from being renewed.
  3. The protocol changes the loan term setting to 1 week.
  4. The user is liquidated after 1 week.

Recommendation

Store the loan term value at the time the position was created in the Lien structure, e.g. in lien.loanTerm. When checking the liquidation condition, calculate the end time using this value to honor the original loan term.

    if (
        !((closeCache.tokenFromPremium &lt; liquidateCache.tokenFromOwed ||
            closeCache.tokenToPremium &lt; liquidateCache.tokenToOwed) ||
            (lien.startTime &lt; lps.getRenewalCutoffTime(lien.tokenId) &&
-               lien.startTime + LOAN_TERM &lt; block.timestamp))
+               lien.startTime + lien.loanTerm &lt; block.timestamp))
    ) {
        revert Errors.LiquidationNotMet();
    }

Assessed type

Other

The text was updated successfully, but these errors were encountered:

All reactions

6.8 Medium

AI Score

Confidence

Low

JSON