search

code-423n4 / 2023-07-amphora-findings

3 stars 2 forks source link

The borrower may be liquidated immediately upon resumption of repayments #365

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-07-amphora/blob/daae020331404647c661ab534d20093c875483e1/core/solidity/contracts/core/VaultController.sol#L584 https://github.com/code-423n4/2023-07-amphora/blob/daae020331404647c661ab534d20093c875483e1/core/solidity/contracts/core/VaultController.sol#L646-L650

Vulnerability details

This protocol has a paused state in which repay and liquidate operations are stopped. When not paused, liquidators can go ahead and liquidate users' positions before they have a chance to pay part of the debt to make their position healthy. It is likely that the actual oracle prices will go up or down during this pause period. If oracle prices go down, users will not be able to close their positions. Although the protocol allows users to add collateral, they may not have the resources to do so.

Impact

If a user attempts to pay his debt at the same time that repayment is enabled, he may be liquidated due to frontrunning.

Proof of Concept

Both functions contain the whenNotPaused modifier, so they are only usable when the pause is disabled. When this happens after a pause, a user in a liquidation state who wants to make his position healthy by calling one of the repay functions can be instantly liquidated due to frontrun.

  function _repay(uint96 _id, uint192 _amountInUSDA, bool _repayAll) internal paysInterest whenNotPaused {

https://github.com/code-423n4/2023-07-amphora/blob/daae020331404647c661ab534d20093c875483e1/core/solidity/contracts/core/VaultController.sol#L584

  function liquidateVault(
    uint96 _id,
    address _assetAddress,
    uint256 _tokensToLiquidate
  ) external override paysInterest whenNotPaused returns (uint256 _toLiquidate) {

https://github.com/code-423n4/2023-07-amphora/blob/daae020331404647c661ab534d20093c875483e1/core/solidity/contracts/core/VaultController.sol#L646-L650

Tools Used

Manual Review

Recommended Mitigation Steps

When repay is paused and then resumed, put a timer that prevents liquidations for some amount of time after (i.e. 4 hours) so that users can fairly repay their position after repayment has been resumed.

Assessed type

Context

c4-pre-sort commented 1 year ago

minhquanym marked the issue as primary issue

c4-sponsor commented 1 year ago

0xShaito marked the issue as disagree with severity

0xShaito commented 1 year ago

Pause is only used for completely extreme circumstances and shouldn't be used for long as it stops the protocol.

Either way, users can still deposit more to avoid any possible liquidations.

c4-judge commented 1 year ago

dmvt marked the issue as unsatisfactory: Invalid