Closed code423n4 closed 1 year ago
hansfriese marked the issue as satisfactory
hansfriese marked the issue as duplicate of #31
wukong-particle marked the issue as sponsor acknowledged
Judge is correct, indeed duplication.
wukong-particle marked the issue as sponsor confirmed
this actually should be duplicate of https://github.com/code-423n4/2023-05-particle-findings/issues/16 (1 wei addCredit
DoS), fixed with https://github.com/Particle-Platforms/particle-exchange-protocol/pull/14 (addCredit
needs exceed minimum 0.01 ETH )
Lines of code
https://github.com/code-423n4/2023-05-particle/blob/1caf678bc20c24c96fc8f6b0046383ff0e9d2a6f/contracts/protocol/ParticleExchange.sol#L518-L541
Vulnerability details
Impact
The lender can be prevented from liquidating the borrower, at negligible cost to the borrower.
Proof of Concept
When the borrower is insolvent the lender can liquidate him by
withdrawEthWithInterest(lien, lienId)
. The parameters are verified by the modifiervalidateLien()
which checks that thelien
is hashed to the same digest as is stored atliens[lienId]
. The issue is that the borrower than frontrun the lender call towithdrawEthWithInterest()
with a call toaddCredit()
providing only 1 wei, even though he is deeply insolvent.addCredit()
changes the valuecredit
in thelien
which updates the stored digest. This causes the lien validation to revert in the lender's call towithdrawEthWithInterest()
. This way the borrower can avoid liquidation, without having to top up his credit to meet his owed interest. The borrower can thus limit his loss while still having access to the NFT, hoping to trade it later during more favourable market conditions.Recommended Mitigation Steps
Require the amount provided in
addCredit()
to make the borrower solvent.Assessed type
DoS