Pallet liquidation scams and how to recognize them

Pallet liquidation scams target people looking to purchase pallets of supposedly discounted merchandise, often from major retailers like Amazon. Groups that engage in pallet liquidation sales are rampant on social media and it’s hard to discern the scammers from the legitimate ones to be honest,...

Upgraded Q -> 2 from #49 [1704028025372]

Judge has assessed an item in Issue 49 as 2 risk. The relevant finding follows: L-05 Some tokens revert on 0 amount transfer ParticlePositionManager::liquidatePosition: File: protocol/ParticlePositionManager.sol 376: // reward liquidator 377: TransferHelper.safeTransfercloseCache.tokenFrom,...

Users can avoid liquidation by splitting their positions into smaller ones

Lines of code Vulnerability details Impact Bad debt creation, as the total sum of positions could yield a signicant underwater position, but they would likely not be liquidated as it wouldn't compensate liquidators. Proof of Concept A recent, random transaction on Mantle shows a gas fee of 0.47...

Liquidation condition should not factor the liquidation reward into the premiums

Lines of code Vulnerability details Summary The premiums used to determine the liquidation condition have the liquidation reward already discounted, potentially causing a lien to be considered underwater while technically it is not. Impact Positions in Particle LAMM can be liquidated if the owed...

In some pools, borrowers can maliciously prevent liquidatePosition()

Lines of code Vulnerability details Vulnerability details in liquidatePosition At the end of the liquidation, the liquidation fee will be transferred to the liquidator. function liquidatePosition DataStruct.ClosePositionParams calldata params, address borrower external override nonReentrant...

changing LOAN_TERM changes terms for existing loans

Lines of code Vulnerability details Impact If the protocol updates the loan terms, this will affect existing loans taken under different terms. Proof of Concept LOANTERM is a guarantee for the lender liquidity provider to eventually get their liquidity back. After loan term has passed the lender...

liquidatePosition() change LOAN_TERM may result in the borrower paying additional liquidation fees.

Lines of code Vulnerability details Vulnerability details Currently, there are three ways to close a position: 1. The borrower voluntarily closes it through closePosition. 2. If Premium is insufficient, it is forcibly closed by liquidatePosition. 3. After the loan expires, LP forcibly closes it b...

Liquidations can be prevented by frontrunning and liquidating 1 debt (or more) due to wrong assumption in POS_MANAGER

Lines of code Vulnerability details Impact Users can avoid being liquidated if they frontrun liquidation calls with a liquidate call with 1 wei. Or, they may do a partial liquidation and avoid being liquidated before the interest reaches the value of the debt pre liquidation. The total interest...

Liquidator can get higher rate for liquidation

Lines of code Vulnerability details Proof of Concept When position is unhealthy then it can be liquidated. In order to incentivize someone to liquidate positions they receive some extra amount of collateral. This incentive percentage is calculated inside...

liquidatePosition() liquidator can construct malicious data to steal the borrower's profit.

Lines of code Vulnerability details Vulnerability details When the Loan expires, and RenewalCutoffTime has been set, anyone can execute the liquidation method liquidatePosition. Execution path: liquidatePosition - closePosition - Base.swapparams.data The problem is that this params.data can be...

Modifying the loan term setting can default existing loans

Lines of code Vulnerability details Summary Protocol admins can modify the loan term settings. This action can inadvertently default existing loans created under different terms. Impact Positions in the Particle LAMM protocol are created for a configurable period of time, defined by the LOANTERM...

Zero amount token transfers may cause a denial of service during liquidations

Lines of code Vulnerability details Summary Some ERC20 implementations revert on zero value transfers. Since liquidation rewards are based on a fraction of the available position's premiums, this may cause an accidental denial of service that prevents the successful execution of liquidations...

setPosMode should not allow changing the mode when the new mode's canRepay status is disabled

Lines of code Vulnerability details Impact In the scenario where the mode's canRepay status is set to false, positions using that mode cannot be repaid and liquidated. However, users are allowed to change their position's mode to one where the canRepay status is currently set to false. This could...

Liquidator has no incentives to execute a favorable trade to the borrower

Lines of code Vulnerability details Summary Swaps involved in liquidations may negatively impact the owner of the lien, since there is no incentive to execute a favorable trade as long as the received amount is enough to recover the liquidity. Impact When an existing position is closed, the...

position can be opened without premium

Lines of code Vulnerability details Description Premium in ParticlePositionManager is used to cover trading fees accrued for the liquidity borrowed. When liquidating, a portion of the premium is also used for the liquidation reward. The issue is that a borrower can open a position without any...

A wLP collateral that is no longer whitelisted but was at some point won't let users decollateralize or be liquidated

Lines of code Vulnerability details Impact Users who collateralized using wLP won't ever be liquidated unless the wLP is whitelisted back, but this could be dangerous depending on the reason it was removed from the whitelist. They can't also decollateralize. The severity of this issue depends...

LendingPool interest should not accrue when pool's repay is paused

Lines of code Vulnerability details Impact When the canRepay status of pools inside InitCore is paused, users are not allowed to repay their positions when borrowing from the paused pool. However, interests continue to accrue during this pause period, exposing users to potential liquidation risk...

InitCore.liquidate will revert in case if poolOut is paused for collateral

Lines of code Vulnerability details Proof of Concept InitCore.liquidate function tries to check, that provided poolOut variable is valid pool of protocol. It does it using vars.config.isAllowedForCollateral check. As you can see, in case if poolOut will be paused as collateral for the mode, then...

Interest still accuring when repayment is paused, creating debt that cannot be repaid

Lines of code Vulnerability details Impact Interest still accuring when repayment is paused Proof of Concept When the admin pause the lending pool repayment, as timestamp elapses, interest still accuring /// @inheritdoc ILendingPool function accrueInterest public uint lastAccruedTime =...

InitiCore.liquidate uses stale toShares function

Lines of code Vulnerability details Proof of Concept When position is going to be liquidated, then liquidator provides poolToRepay and poolOut. He wants to repay some amount to poolToRepay and get shares from poolOut back according to repaid amount + bonus. ILendingPoolpoolOut.toShares function i...