Lucene search
K

15 matches found

Code423n4
Code423n4
added 2023/12/21 12:0 a.m.14 views

Users can avoid liquidation by splitting their positions into smaller ones

Lines of code Vulnerability details Impact Bad debt creation, as the total sum of positions could yield a signicant underwater position, but they would likely not be liquidated as it wouldn't compensate liquidators. Proof of Concept A recent, random transaction on Mantle shows a gas fee of 0.47...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2023/12/19 12:0 a.m.11 views

Small positions are allowed in the system that are not profitable for liquidators

Lines of code Vulnerability details Proof of Concept When someone borrows, then he can borrow any assets amount that he would like. In the end function will check that position is healthy, which means that user has enough collateral amount to cover borrowed amount. The problem is that this functi...

7AI score
Exploits0
Code423n4
Code423n4
added 2023/08/04 12:0 a.m.9 views

Incorrect parameter for getCallerReward might return 0 reward despite insolvency

Lines of code Vulnerability details Impact The calculation of the caller reward uses an incorrect value. If the exchangeRate remains the same but a lot of interest accrues, then there will be no liquidation reward. Without a liquidation reward borrowing positions will not get liquidated and incur...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2023/05/15 12:0 a.m.6 views

Bad debt bidders’ funds are locked forever when Shortfall address is changed during ongoing debt auction

Lines of code Vulnerability details Vulnerability Details When the protocol accrues bad debt, it can be auctioned off to anyone who is willing to pay. Each user wanting to participate in the auction has to lock their bid in Shortfall contract: function placeBidaddress comptroller, uint256 bidBps...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2023/05/15 12:0 a.m.12 views

totalBorrows is not deducted properly when Comptroller#healAccount is called

Lines of code Vulnerability details Impact TotalBorrowed in VToken is not accounted properly when healAccount is called. Proof of Concept ComptrollerhealAccount intends to forgive the debt of the account if the debt goes far too underwater. When that happens, the collateral is seized, some of the...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2023/05/15 12:0 a.m.10 views

Malicious actor can win auction unfavorably to the protocol by block stuffing

Lines of code Vulnerability details Vulnerability Details When protocol’s bad debt is auctioned off with 10% incentive at the beginning. A user who gives the best bid, wins. The auction ends when at least one account placed a bid, and current block number is bigger than nextBidderBlockLimit:...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2023/03/07 12:0 a.m.8 views

Improper Management of Critical Market Condition

Lines of code Vulnerability details Impact The BorrowerOperations::requireValidAdjustmentInCurrentMode validation function will apply a weak level of validation, causing the system to magnify its critical market conditions when in recovery mode. In detail, both...

7.1AI score
Exploits0
Code423n4
Code423n4
added 2023/01/17 12:0 a.m.16 views

Liquidation bots are needed to stabilize the system.

Lines of code Vulnerability details Impact Allowing liquidation bots to arbitrage would stabilize the system. The majority of liquidations are done by liquidation bots. For liquidation bots to be viable there has to exist a secondary market where the assets can be instantly sold. This is especial...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2022/12/21 12:0 a.m.13 views

Users may be liquidated right after taking maximal debt

Lines of code Vulnerability details Impact Since there's no gap between the maximal LTV and the liquidation LTV, user positions may be liquidated as soon as maximal debt is taken, without leaving room for collateral and Papr token prices fluctuations. Users have no chance to add more collateral o...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2022/12/09 12:0 a.m.8 views

Bad debt will likely incur when multiple NFTs are liquidated.

Lines of code Vulnerability details Description getUserBalanceForERC721 in GenericLogic gets the value of a user's specific ERC721 xToken. It is later used for determining the account's health factor. In case isAtomicPrice is false such as in ape NTokens, price is calculated using: uint256...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2022/08/17 12:0 a.m.16 views

Pausing can cause serious bad debt since debt can't be liquidated.

Lines of code Vulnerability details Impact Pausing can cause serious bad debt since debt can't be liquidated. For example, if 1 UST is used as collateral to borrow 0.7 USDT 30% safety. Then UST crashed and chainlink stopped working. You left no choice but to pause the contract. After that UST...

7AI score
Exploits0
Code423n4
Code423n4
added 2022/07/17 12:0 a.m.15 views

There is no method to unignore any ignored pair.

Lines of code Vulnerability details Impact The Witch contract uses setIgnoredPair function to prevent the liquidation of accepted pairs on the governance level. However, there is no method to remove these pairs from the ignoredPairs mapping. Proof of Concept Imagine there are vaults with UST/fyUS...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2022/02/23 12:0 a.m.9 views

After debt seizure from InsuranceFund, user can dilute all past participants.

Lines of code Vulnerability details Impact A user can get a much larger portion of the pool as it recovers from a debt seizure. The intent of the insurance pool seems to be that it could recover from a bad debt event. Proof of Concept 1. Alice is the first LP to the insurance pool, and deposits...

6.6AI score
Exploits0
Code423n4
Code423n4
added 2021/10/26 12:0 a.m.10 views

One auction at a time would lead to bad debt

Handle jonah1005 Vulnerability details One auction at a time would lead to bad debt Impact The current DutchAuctionLiquidator only allows one auction for a position at a time. This is not a desirable design. If a position is liquidated due to the price movement of collaterals, the position would...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2021/07/14 12:0 a.m.8 views

SelfBurn lpToken may create bad debt

Handle jonah1005 Vulnerability details Impact Users can create bad debt by burning their lpToken. Bad debt of the system would increase the utilization rate and hence increase the interest rate of the counterpart token. It would be a reasonable action to burn lp if the user is no longer profitabl...

6.8AI score
Exploits0
Rows per page
Query Builder