Closed masaun closed 1 year ago
WontDo: The rationale about the vulnerability is unclear. The liquidator or msg.sender/caller of the liquidate() function, can assign receiver anybody they think should receive the gained shares. If they send them back to the owner, they effectively just gave them "free money". However, this is the choice of the caller, and doing the aforementioned is not profitable. Though, the team does not consider this should be blocked. The original intent is for the liquidator (typically an EOA) assigns a separate multisig or "gnosisSafe" to receive the gainedShares.
Title
A user who has the
LIQUIDATOR_ROLE
will not lose theirgainedShares
even if their debt would be liquidatedAffected smart contract
Description
Within the BorrowingVault#
liquidate()
, theowner
of debt and thereceiver
who is a liquidator would be assigned as parameters. Once liquidation occur, thegainedShares
will be burned from theowner
and thegainedShares
will be minted to thereceiver
like this: https://github.com/Fujicracy/fuji-v2/blob/main/packages/protocol/src/vaults/borrowing/BorrowingVault.sol#L585-L586 https://github.com/Fujicracy/fuji-v2/blob/main/packages/protocol/src/vaults/borrowing/BorrowingVault.sol#L622-L623In the case above, a user who has the
LIQUIDATOR_ROLE
can assign both theowner
and thereceiver
as argument value when the user call the BorrowingVault#liquidate()
.The
owner
and thereceiver
are supposed to be different address. Because if the same address would be assigned into the bothowner
andreceiver
, thegainedShares
can be minted to thereceiver
even if thegainedShares
would be burned from theowner
.However, there is no validation to check whether the
owner
andreceiver
are different address. If a user who has theLIQUIDATOR_ROLE
assign the same address with theowner
into thereceiver
as argument value when the user call the BorrowingVault#liquidate()
, the address assigned will not lose theirgainedShares
even if theowner
is liquidated.Attack scenario
LIQUIDATOR_ROLE
borrow some amount of tokens based on shares and the user become theowner
of the debt.liquidationFactor
meet the threshold of liquidation, the debt of theowner
will be liquidated.LIQUIDATOR_ROLE
call the BorrowingVault#liquidate()
by assigning the same address withowner
into thereceiver
.liquidate()
is called above, the amount ofgainedShares
would be burned from theowner
then the same amount of thegainedShares
would be minted to thereceiver
.owner
was assigned into thereceiver
, theowner
will not lose theirgainedShares
. Because thereceiver
receive the amount ofgainedShares
burned from theowner
.Recommendation
Consider adding a validation in order to check whether the
owner
andreceiver
are different address to the BorrowingVault#liquidate()
like this: