Open code423n4 opened 1 year ago
JeffCX marked the issue as primary issue
Modifying the liquidation collateral ratio requires approval through DAO governance. Typically, users will have sufficient time to provide additional collateral.
LybraFinance marked the issue as sponsor acknowledged
0xean changed the severity to QA (Quality Assurance)
Lines of code
https://github.com/code-423n4/2023-06-lybra/blob/7b73ef2fbb542b569e182d9abf79be643ca883ee/contracts/lybra/pools/base/LybraEUSDVaultBase.sol#L291-L293 https://github.com/code-423n4/2023-06-lybra/blob/7b73ef2fbb542b569e182d9abf79be643ca883ee/contracts/lybra/pools/base/LybraPeUSDVaultBase.sol#L225-L228 https://github.com/code-423n4/2023-06-lybra/blob/7b73ef2fbb542b569e182d9abf79be643ca883ee/contracts/lybra/configuration/LybraConfigurator.sol#L198-L206
Vulnerability details
Details
In
LybraPeUSDVaultBase.sol
&LybraEUSDVaultBase.sol
:_checkHealth
function usesconfigurator.getSafeCollateralRatio(address(this))
to check if the user position is healthy or not (eligible for liquidation).The returned value of
getSafeCollateralRatio(vaultAddress)
if the (vaultSafeCollateralRatio[pool]
) is not set yet is160 * 1e18
.The account with
TIMELOCK
privilage in theLybraConfigurator.sol
contract can set thevaultSafeCollateralRatio[pool]
to a value greater than160 * 1e18
for the valultType=0 & to a value greater thanvaultBadCollateralRatio[pool] + 1e19
for the valultType=1, and there's no maximum limit to check on the new value.Impact
Proof of Concept
LybraConfigurator.sol
:LybraEUSDVaultBase.sol
:LybraPeUSDVaultBase.sol
:Tools Used
Manual Testing.
Recommended Mitigation Steps
A recommended mitigation step is to set a struct to track each position (debt) made by the user where the current safeCollateralRatio at the time of the borrow is recorded, and another array to track users positions, so when checking for the health of the user,a weighted average of the health of all positions made by a user is used to checkHealth.
Assessed type
Other