search

code-423n4 / 2023-12-particle-findings

2 stars 1 forks source link

LOAN_TERM adjustment can impact ongoing leverage position and can be backrun to cause immediate liquidation when LOAN_TERM is decreased #3

Closed c4-bot-10 closed 10 months ago

c4-bot-10 commented 11 months ago

Lines of code

https://github.com/code-423n4/2023-12-particle/blob/a3af40839b24aa13f5764d4f84933dbfa8bc8134/contracts/protocol/ParticlePositionManager.sol#L581 https://github.com/code-423n4/2023-12-particle/blob/a3af40839b24aa13f5764d4f84933dbfa8bc8134/contracts/protocol/ParticlePositionManager.sol#L365

Vulnerability details

Impact

LOAN_TERM adjustment can impact ongoing leverage position and can be backrun to cause immediate liquidation

Proof of Concept

According to the documentation, the LOAN_TERM will be set to 7 days

yet admin perserve the right to adjust the LOAN_TERM any time can calling the function updateLoanTerm

    function updateLoanTerm(uint256 loanTerm) external override onlyOwner {
        if (loanTerm > _LOAN_TERM_MAX) revert Errors.InvalidValue();
        LOAN_TERM = loanTerm;
        emit UpdateLoanTerm(loanTerm);
    }

this parameter LOAN_TERM is used to validate whethter a leveraged position is subject to liquidation (user's premium is lost to liquidator)

    // check for liquidation condition
    ///@dev the liquidation condition is that
    ///     (EITHER premium is not enough) OR (cutOffTime > startTime AND currentTime > startTime + LOAN_TERM)
    if (
        !((closeCache.tokenFromPremium < liquidateCache.tokenFromOwed ||
            closeCache.tokenToPremium < liquidateCache.tokenToOwed) ||
            (lien.startTime < lps.getRenewalCutoffTime(lien.tokenId) &&
                lien.startTime + LOAN_TERM < block.timestamp))
    ) {
        revert Errors.LiquidationNotMet();
    }

for example, if in the beginning, LOAN_TERM is 7 days, 

lien.startTime + LOAN_TERM < block.timestamp

return false,

user has open a leverage position and intend to close position in 6 days

5 and half day passes

but admin adjust the LOAN_TERM to 5 days,

user's position is subject to liquidation immediately

in the worst case, a user can monitor the decrease of LOAN_TERM to immediate liquidate user's position and leave user no time to add more premium

Tools Used

Manual Review

Recommended Mitigation Steps

recommend snapshot the loan term and store it in the LIEN struct to avoid LOAN_TERM decrease impact ongoing leverage position

Assessed type

MEV

c4-judge commented 10 months ago

0xleastwood marked the issue as duplicate of #52

c4-judge commented 10 months ago

0xleastwood marked the issue as satisfactory