code-423n4 / 2022-07-yield-findings

0 stars 0 forks source link

Good debt position get liquidated and result in user fund loss #80

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-07-yield/blob/6ab092b8c10e4dabb470918ae15c6451c861655f/contracts/Witch.sol#L253

Vulnerability details

Impact

A detailed description of the impact of this finding.

The protocol relies on auctioneers to put bad debt into auction and liquidation or cancel the liquidated position

but it is possible that when auctioneers put debt into auction, the user adds more collateral to avoid liquidation,

and the

cancel

the function is never called.

Then the user's position is not subject to liquidation and can still be liquidated.

Proof of Concept

Provide direct links to all referenced code on GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.

Tools Used

VIM

Recommended Mitigation Steps

The developer can check if the user's position is subject to liqudiation when user calling payBase or payFYToken

https://github.com/code-423n4/2022-07-yield/blob/6ab092b8c10e4dabb470918ae15c6451c861655f/contracts/Witch.sol#L357

    function payFYToken(
        bytes12 vaultId,
        address to,
        uint128 minInkOut,
        uint128 maxArtIn
    )
        external
        returns (
            uint256 liquidatorCut,
            uint256 auctioneerCut,
            uint256 artIn
        )
    {
        DataTypes.Auction memory auction_ = auctions[vaultId];
        require(auction_.start > 0, "Vault not under auction");
        require(cauldron.level(vaultId) < 0, "Not undercollateralized"); // this line is added to ensure user's position is subject to liquidation.
HickupHH3 commented 2 years ago

dup of #91

alcueca commented 2 years ago

Duplicate of #40

PierrickGT commented 2 years ago

Downgraded to QA Report since this issue is related to a design decision.

PierrickGT commented 2 years ago

Only issue submitted by this warden, since it has been downgraded to QA report, I will remove the duplicate label and reopen it.