Closed c4-bot-3 closed 8 months ago
hansfriese marked the issue as primary issue
fez-init (sponsor) disputed
In repay and liquidate functions, _deltaShares
will be negative, so the if clause will not be entered.
Agree with sponsor
hansfriese marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-12-initcapital/blob/a53e401529451b208095b3af11862984d0b32177/contracts/risk_manager/RiskManager.sol#L75
Vulnerability details
Impact
repayment or liquidation can be blocked if debt ceiling amount is decreased
Proof of Concept
When user repay the debt or if liquidator repay the debt
we are calling updateModeDebtShares, the debt is reduced
this is calling
the transaction can revert in this line of code
when the debt ceilling is adjusted
consider the case
the admin set debt ceiling to 1 miillion
the total debt for borrowing becomes 0.7 million
then admin decides to reduce debt ceilling to 0.5 million, the intention is to not let user create more debts via borrowing
but then after admin calling
then user wants to repay the debt to reduce debt from 0.7 million to 0.6 million,
but because 0.6 million is greater than 0.5 million debt ceilling configuration
both liquidation and repayment revert and users are force to pay interest and incur more debts until liquidation after admin increase the debt ceiling amount
Tools Used
Manual Review
Recommended Mitigation Steps
I think it is safe to skip this debt ceiling check when debt is decreased via repay
Assessed type
Invalid Validation