c4-judge
commented
1 year ago 0xean marked the issue as duplicate of #417
Open code423n4 opened 1 year ago
c4-judge
commented
1 year ago 0xean marked the issue as duplicate of #417
c4-judge
commented
1 year ago 0xean marked the issue as satisfactory
c4-judge
commented
1 year ago 0xean changed the severity to QA (Quality Assurance)
c4-judge
commented
1 year ago 0xean marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-05-venus/blob/main/contracts/VToken.sol#L1060 https://github.com/code-423n4/2023-05-venus/blob/main/contracts/VToken.sol#L936 https://github.com/code-423n4/2023-05-venus/blob/main/contracts/Comptroller.sol#L391
Vulnerability details
Impact
While repayments are paused, a Borrower may become subject to liquidation through no fault of their own, due to being prevented from repaying while markets fluctuate. Upon repayments being resumed such Borrowers will be immediately liquidated by liquidation bots with virtually no chance of repaying (unless they run their own repayment bot & can successfully front-run the liquidation bots). This is a known vulnerability class Borrowers Immediately Liquidated After Repayments Resume
Proof of Concept
A major logical invariant of DeFi Lending/Borrowing systems is that the system should never be able to enter a state where a Borrower can't repay, but can be liquidated/have their collateral seized.
Venus tries to preserve this invariant as VToken._liquidateBorrowFresh() calls VToken._repayBorrowFresh() which calls Comptroller.preRepayHook() which reverts liquidation if Action.REPAY is paused.
However this is not sufficient as while repayments are paused, a Borrower may become subject to liquidation through no fault of their own due to being prevented from repaying while markets fluctuate. As soon as repayments are resumed, such a Borrower will be immediately liquidated by liquidation bots, with the only possibility to save their position being if the Borrower themselves runs a repayment bot & can successfully front-run the liquidation bot.
This situation unfairly disadvantages Borrowers as such Borrowers became subject to liquidation through no fault of their own. Upon repayments resuming a Borrower will be immediately liquidated, unfairly disadvantaging the Borrower and giving a huge advantage to the Liquidator.
Please note judges, this is not a duplicate of my other submission where I show there still exists other paths that allow a Borrower's collateral to be seized while repayments are paused; these are two distinct vulnerability classes common to Lending/Borrowing DeFi systems.
Tools Used
Manual review
Recommended Mitigation Steps
To fix the game theory such that neither Borrowers nor Liquidators are unfairly favored, after repayments are resumed there should be a grace period during which Borrowers can't be liquidated for the market that was paused.
Let t = time that repayments were paused, g = length of grace period.
One potentially fair solution: g = t > 8 hours ? 8 hours : t
This solution gives at most an 8 hour grace period (corresponding to 1 reasonable human sleep interval), or if repayments were paused for less, then grace period will be the same as repayments pause period.
Assessed type
MEV