Open c4-bot-9 opened 11 months ago
The cost of consistently manipulating the pool here would not be sustainable. While the liquidation would revert, the sandwich attack would not and require significant capital and fees in performing the swap. Ultimately, a liquidator could always side-step a sandwich attack.
Downgrading to QA.
0xleastwood changed the severity to QA (Quality Assurance)
Agree with the judge. This isn't currently a big concern. Also, about
Manipulating pools is costly but there can be scenarios where this is profitable for the borrower, depending on position price, size and current market.
Could you elaborate and provide a concrete example? Thanks!
wukong-particle (sponsor) acknowledged
Lines of code
https://github.com/code-423n4/2023-12-particle/blob/main/contracts/protocol/ParticlePositionManager.sol#L399-L406 https://github.com/code-423n4/2023-12-particle/blob/main/contracts/protocol/ParticlePositionManager.sol#L415-L420
Vulnerability details
Impact
A borrower could manipulate the pool the liquidator is swapping in when closing to prevent the liquidation from happening.
Proof of Concept
When liquidating a position the liquidator closes the position on behalf of the borrower for a liquidation reward.
When closing a position, the token held by the borrower is traded back to cover the debt to the liquidity provider:
ParticlePositionManager::_closePosition#L399-L406
:These amounts are then used to check that the amount swapped will cover repaying the lender:
ParticlePositionManager::_closePosition#L415-L420
:Where
amountTo/FromAdd
is the amounts needed to repay the liquidity borrowed from the liquidity provider.The issue is that a borrower could manipulate the pool the liquidator is swapping in and cause the
amountReceived
tokens to be less than needed. This would stop the liquidation from happening.Manipulating pools is costly but there can be scenarios where this is profitable for the borrower, depending on position price, size and current market.
Tools Used
Manual audit
Recommended Mitigation Steps
Consider implementing a way for the liquidator to supply necessary tokens instead of swapping and then return that surplus to the liquidator
Assessed type
DoS