Closed c4-bot-2 closed 8 months ago
hansfriese marked the issue as primary issue
fez-init (sponsor) disputed
This is invalid
thanks @fez-init for point it out
// calculate fill order info
(uint amtOut, uint repayShares, uint repayAmt) = _calculateFillOrderInfo(order, marginPos, collToken);
// transfer in repay tokens
IERC20(borrToken).safeTransferFrom(msg.sender, address(this), repayAmt);
// transfer order owner's desired tokens to the specified recipient
IERC20(order.tokenOut).safeTransferFrom(msg.sender, order.recipient, amtOut);
note this line of code
IERC20(order.tokenOut).safeTransferFrom(msg.sender, order.recipient, amtOut);
if the repayShares / repay amount is less, the amtOut will increase
The amtOut of tokenOut does reflect the reduced repay amt & shares!
because of how _calculateFillOrderInfo is implemented
hansfriese marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-01-init-capital-invitational/blob/a01c4de620be98f9e57a60cf6a82d4feaec54f58/contracts/hook/MarginTradingHook.sol#L387 https://github.com/code-423n4/2024-01-init-capital-invitational/blob/a01c4de620be98f9e57a60cf6a82d4feaec54f58/contracts/core/PosManager.sol#L166
Vulnerability details
Impact
Order can be filled in a very unfavorable condition for order creator if user's borrow pool collateral is liquidated
Proof of Concept
https://github.com/code-423n4/2024-01-init-capital-invitational/blob/a01c4de620be98f9e57a60cf6a82d4feaec54f58/contracts/hook/MarginTradingHook.sol#L387
the order filler has two things that he should do
but Order can be filled in a very unfavorable condition for order creator if user's borrow pool collateral is liquidated
if user's borrow pool's collateral is liquidated, most of the debt in borrow pool is repaid by liquidator,
then the repayShares and repayAmt that order filler needs to repay will be very low and can be nearly to 0 because
totalDebtShares by calling getPosDebtShares can return very small number, even 0,
because liquidator or someone already repay the debt for borrow pool,
then while the order filler bascially needs to repay no borrow debt and can transfer the token to order recipient and takes user's collateral from collateral pool for free
recall:
the order filler has two things that he should do
but in the case we described,
repay debt in borrow pool, which is order filler's responsibility, can be avoided and skipped.
one way that order filler can take advantage of this is they can backrun liquidation / repayment to fill order and take collateral pool's collateral immediately within same block
Tools Used
Manual Review
Recommended Mitigation Steps
when borrow pool debt shares is too low, block order filling, or let order filler pays for collateral pool token before letting the order filler remove collateral pool's collateral
Assessed type
Token-Transfer