search

code-423n4 / 2023-12-initcapital-findings

3 stars 3 forks source link

Liquidator can get higher rate for liquidation #21

Closed c4-bot-9 closed 10 months ago

c4-bot-9 commented 10 months ago

Lines of code

https://github.com/code-423n4/2023-12-initcapital/blob/main/contracts/core/InitCore.sol#L293-L295 https://github.com/code-423n4/2023-12-initcapital/blob/main/contracts/core/LiqIncentiveCalculator.sol#L57-L58

Vulnerability details

Proof of Concept

When position is unhealthy then it can be liquidated. In order to incentivize someone to liquidate positions they receive some extra amount of collateral. This incentive percentage is calculated inside ILiqIncentiveCalculator(liqIncentiveCalculator).getLiqIncentiveMultiplier_e18 function. And collateral and repayment tokens are passed as params.

Inside getLiqIncentiveMultiplier_e18 there is maxTokenLiqIncentiveMultiplier_e18 variable calculation, which takes max incentive for the collateral or repayment token.

Collateral token is the token that liquidator would like to get back from position. While repaymnet token is what liquidator is going to repay. This is actually the token that causes position to be unhealthy, because position has borrowed it. Thus tokenLiqIncentiveMultiplier_e18[_repayToken] should only be used and there is no need to fetch incentive for the collateral.

Example: there are 2 modes and tokenLiqIncentiveMultiplier_e18[tokenA] = 110%, tokenLiqIncentiveMultiplier_e18[tokenB] = 120%:

Position in mode 1 becomes unhealthy and liquidator provides pool with tokenA as repayment and pool with tokenB as pool out. As liquidator liquidates tokenA right now, then he should get token incentive 110%, but because function also check incentive for the collateral token and takes max, liquidator get 120%, which incorrect imo as in this mode it's even non possible to borrow tokenB.

Impact

Liquidator get bigger incentive.

Tools Used

VsCode

Recommended Mitigation Steps

I think you don't need to fetch incentive for the collateral token.

Assessed type

Error

c4-judge commented 10 months ago

hansfriese marked the issue as primary issue

c4-sponsor commented 10 months ago

fez-init (sponsor) disputed

fez-init commented 10 months ago

A position's health can be affected by both the collateral token and/or the borrow token, so both values should be taken into account.

hansfriese commented 10 months ago

From the sponsor's comment, the existing logic seems to be working as intended.

c4-judge commented 10 months ago

hansfriese marked the issue as unsatisfactory: Invalid