DoS of liquidation

[code423n4]

Lines of code

https://github.com/code-423n4/2023-05-particle/blob/1caf678bc20c24c96fc8f6b0046383ff0e9d2a6f/contracts/protocol/ParticleExchange.sol#L518-L541

Vulnerability details

Impact

The lender can be prevented from liquidating the borrower, at negligible cost to the borrower.

Proof of Concept

When the borrower is insolvent the lender can liquidate him by withdrawEthWithInterest(lien, lienId). The parameters are verified by the modifier validateLien() which checks that the lien is hashed to the same digest as is stored at liens[lienId]. The issue is that the borrower than frontrun the lender call to withdrawEthWithInterest() with a call to addCredit() providing only 1 wei, even though he is deeply insolvent. addCredit() changes the value credit in the lien which updates the stored digest. This causes the lien validation to revert in the lender's call to withdrawEthWithInterest(). This way the borrower can avoid liquidation, without having to top up his credit to meet his owed interest. The borrower can thus limit his loss while still having access to the NFT, hoping to trade it later during more favourable market conditions.

Recommended Mitigation Steps

Require the amount provided in addCredit() to make the borrower solvent.

Assessed type

DoS

[c4-judge]

hansfriese marked the issue as satisfactory

[c4-judge]

hansfriese marked the issue as duplicate of #31

[c4-sponsor]

wukong-particle marked the issue as sponsor acknowledged

[wukong-particle]

Judge is correct, indeed duplication.

[c4-sponsor]

wukong-particle marked the issue as sponsor confirmed

[wukong-particle]

this actually should be duplicate of https://github.com/code-423n4/2023-05-particle-findings/issues/16 (1 wei addCredit DoS), fixed with https://github.com/Particle-Platforms/particle-exchange-protocol/pull/14 (addCredit needs exceed minimum 0.01 ETH )