search

code-423n4 / 2021-08-notional-findings

3 stars 0 forks source link

Liquidator can be liquidatee #86

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Handle

cmichel

Vulnerability details

Vulnerability Details

The liquidtation actions do not prevent self-liquidations. See, for example, LiquidatefCashAction.liquidatefCashLocal.

Impact

When liquidating one-self, in LiquidatefCash.finalizefCashLiquidation c.accountContext is for the same user as the liquidatorContext. The contexts are updated independently of each other, but they should be updated sequentially. The final liquidatee account context overwrites the previous liquidatorContext:

c.accountContext.setAccountContext(liquidateAccount);

This could eventually lead to a corrupted account context for self-liquidations.

Recommendation

Check that msg.sender != liquidateAccount

jeffywu commented 2 years ago

If this were the case I think it would be critical, however, we check on every liquidation that the liquidator is not the liquidated account: https://github.com/code-423n4/2021-08-notional/blob/main/contracts/internal/liquidation/LiquidationHelpers.sol#L39

ghoul-sol commented 2 years ago

per sponsor comment making this invalid