c4-bot-9 commented 11 months ago

Lines of code

https://github.com/code-423n4/2023-12-initcapital/blob/main/contracts/core/InitCore.sol#L303

Vulnerability details

Proof of Concept

When position is going to be liquidated, then liquidator provides _poolToRepay and _poolOut. He wants to repay some amount to _poolToRepay and get shares from _poolOut back according to repaid amount + bonus.

ILendingPool(_poolOut).toShares function is used to calculate amount of shares that liquidator should get. The problem is that toShares function doesn't have accrue modifier which means that in case if interests were not accrued for a long time, then calculation of shares will be incorrect. For such reason protocol has created toSharesCurrent function, which accrues interests and thus calculates shares correctly.

Impact

Shares are calculated incorrectly for the liquidation and liquidators actually gets bigger amount than he should.

Tools Used

VsCode

Recommended Mitigation Steps

- shares = ILendingPool(_poolOut).toShares((vars.repayAmtWithLiqIncentive * prices_e36[0]) / prices_e36[1]);
+ shares = ILendingPool(_poolOut).toSharesCurrent((vars.repayAmtWithLiqIncentive * prices_e36[0]) / prices_e36[1]);

Assessed type

Error

c4-judge commented 10 months ago

hansfriese marked the issue as primary issue

c4-sponsor commented 10 months ago

fez-init (sponsor) disputed

fez-init commented 10 months ago

Relevant lending pools should already be accrued. The liquidate function invokes _liquidateInternal , which invokes getPosHealthCurrent_e18 , which invokes getBorrowCreditCurrent_e36 and getCollateralCreditCurrent_e36 .

hansfriese commented 10 months ago

Agree with the sponsor. accrue will be called in getBorrowCreditCurrent_e36/getCollateralCreditCurrent_e36.