search

code-423n4 / 2022-08-frax-findings

2 stars 1 forks source link

Wrong value of `dirtyLiquidationFee` during construction leads to wrong calculation and liquidators might receive less amount of collateral #274

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-08-frax/blob/c4189a3a98b38c8c962c5ea72f1a322fbc2ae45f/src/contracts/FraxlendPairCore.sol#L194

Vulnerability details

Impact

In FraxlendPairCore.constructor() function, value of dirtyLiquidationFee should be 90% of clean fee (in comment). But actually, in implementation, it’s only equal to 9% of clean fee because LIQ_PRECISION = 1e5 and 9000 is only 9% of 1e5.

This basically resulted in less amount of collateral liquidators will receive in liquidateClean() function.

Proof of Concept

Line 194 init value of dirtyLiquidationFee

dirtyLiquidationFee = (_liquidationFee * 9000) / LIQ_PRECISION; // 90% of clean fee

This variable is used to calculate amount of collateral received by liquidators in line 988-990

_collateralForLiquidator = _leftoverCollateral <= 0
    ? _userCollateralBalance
    : (_liquidationAmountInCollateralUnits * (LIQ_PRECISION + dirtyLiquidationFee)) / LIQ_PRECISION;

Tools Used

Manual Review

Recommended Mitigation Steps

Fix line 194 to

dirtyLiquidationFee = (_liquidationFee * 90000) / LIQ_PRECISION;
0xA5DF commented 2 years ago

Duplicate of #132

amirnader-ghazvini commented 2 years ago

Duplicate of #238