code-423n4 / 2023-12-particle-findings

2 stars 1 forks source link

borrower can prevent liquidation by manipulating the swap #47

Open c4-bot-9 opened 11 months ago

c4-bot-9 commented 11 months ago

Lines of code

https://github.com/code-423n4/2023-12-particle/blob/main/contracts/protocol/ParticlePositionManager.sol#L399-L406 https://github.com/code-423n4/2023-12-particle/blob/main/contracts/protocol/ParticlePositionManager.sol#L415-L420

Vulnerability details

Impact

A borrower could manipulate the pool the liquidator is swapping in when closing to prevent the liquidation from happening.

Proof of Concept

When liquidating a position the liquidator closes the position on behalf of the borrower for a liquidation reward.

When closing a position, the token held by the borrower is traded back to cover the debt to the liquidity provider:

ParticlePositionManager::_closePosition#L399-L406:

File: contracts/protocol/ParticlePositionManager.sol

399:        (cache.amountSpent, cache.amountReceived) = Base.swap(
400:            cache.tokenFrom,
401:            cache.tokenTo,
402:            params.amountSwap,
403:            0, /// @dev we check cache.amountReceived is sufficient to repay LP in below
404:            DEX_AGGREGATOR,
405:            params.data
406:        );

These amounts are then used to check that the amount swapped will cover repaying the lender:

ParticlePositionManager::_closePosition#L415-L420:

File: contracts/protocol/ParticlePositionManager.sol

415:        if (
416:            cache.amountFromAdd > cache.collateralFrom + cache.tokenFromPremium - cache.amountSpent ||
417:            cache.amountToAdd > cache.amountReceived + cache.tokenToPremium
418:        ) {
419:            revert Errors.InsufficientRepay();
420:        }

Where amountTo/FromAdd is the amounts needed to repay the liquidity borrowed from the liquidity provider.

The issue is that a borrower could manipulate the pool the liquidator is swapping in and cause the amountReceived tokens to be less than needed. This would stop the liquidation from happening.

Manipulating pools is costly but there can be scenarios where this is profitable for the borrower, depending on position price, size and current market.

Tools Used

Manual audit

Recommended Mitigation Steps

Consider implementing a way for the liquidator to supply necessary tokens instead of swapping and then return that surplus to the liquidator

Assessed type

DoS

0xleastwood commented 11 months ago

The cost of consistently manipulating the pool here would not be sustainable. While the liquidation would revert, the sandwich attack would not and require significant capital and fees in performing the swap. Ultimately, a liquidator could always side-step a sandwich attack.

0xleastwood commented 11 months ago

Downgrading to QA.

c4-judge commented 11 months ago

0xleastwood changed the severity to QA (Quality Assurance)

wukong-particle commented 11 months ago

Agree with the judge. This isn't currently a big concern. Also, about

Manipulating pools is costly but there can be scenarios where this is profitable for the borrower, depending on position price, size and current market.

Could you elaborate and provide a concrete example? Thanks!

c4-sponsor commented 10 months ago

wukong-particle (sponsor) acknowledged