Borrower can redeem there collateral without repaying debt completely

[code423n4]

Lines of code

https://github.com/code-423n4/2023-05-venus/blob/main/contracts/VToken.sol#L213 https://github.com/code-423n4/2023-05-venus/blob/main/contracts/Comptroller.sol#L1304

Vulnerability details

Impact

A borrower can redeem token in a pool though it has been used as a collateral in another pool without repaying the debt. Borrower can redeem the token as underlying asset even if his/her loan position is in the situation of liquidation.

Proof of Concept

Let there be three pools A,B and C and user have tokens of all. Then let user borrow some balance only from pool A and use token of B and C as collateral. Then Even if the user position in pool A is in the sitaution of liquidation user can redeem the token of pool B and C.

Suppose user calls function redeem in pool B. Then in _getHypotheticalLiquiditySnapshot only the assets present in pool B is taken into calculation. As there is no any other Borrow in pool B and other asset as collateral we can reedeem the token B.

Tools Used

Manual Review

Recommended Mitigation Steps

Don't let the token to be redeemed after it is used as a collateral until the proper condition is fullfilled. In _getHypotheticalLiquiditySnapshot or in any section update the code to check whether it has been used as collateral and can be redeemed or not.

Assessed type

Other

[c4-sponsor]

chechu marked the issue as sponsor disputed

[chechu]

If we are using only one pool and three markets, tokens B and C are in the accountAssets[account] during the check perfomed for the redeem. Tokens used as collateral are added to accountAssets[] here: https://github.com/code-423n4/2023-05-venus/blob/main/contracts/Comptroller.sol#L1195 If we are using three different pools, and each of the three markets are in one different pool, then the user wasn't able to use tokens B & C as collateral to borrow tokens A.

[c4-judge]

0xean marked the issue as unsatisfactory: Invalid