search

code-423n4 / 2024-01-salty-findings

4 stars 3 forks source link

liquidateUse cannot happen. #1040

Closed c4-bot-7 closed 5 months ago

c4-bot-7 commented 5 months ago

Lines of code

https://github.com/code-423n4/2024-01-salty/blob/main/src/stable/CollateralAndLiquidity.sol#L140

Vulnerability details

Impact

Detailed description of the impact of this finding. If there is a sharp change in collateral price and it goes than than 95 percent and loss in liquidateUse is more than 5 percentage than no one wants to liquidate the asset.

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.

function liquidateUser( address wallet ) external nonReentrant { require( wallet != msg.sender, "Cannot liquidate self" );

    // First, make sure that the user's collateral ratio is below the required level
    require( canUserBeLiquidated(wallet), "User cannot be liquidated" );

    uint256 userCollateralAmount = userShareForPool( wallet, collateralPoolID );

    // Withdraw the liquidated collateral from the liquidity pool.
    // The liquidity is owned by this contract so when it is withdrawn it will be reclaimed by this contract.
    (uint256 reclaimedWBTC, uint256 reclaimedWETH) = pools.removeLiquidity(wbtc, weth, userCollateralAmount, 0, 0, totalShares[collateralPoolID] );

    // Decrease the user's share of collateral as it has been liquidated and they no longer have it.
    _decreaseUserShare( wallet, collateralPoolID, userCollateralAmount, true );

@>> // The caller receives a default 5% of the value of the liquidated collateral.
    uint256 rewardPercent = stableConfig.rewardPercentForCallingLiquidation();

    uint256 rewardedWBTC = (reclaimedWBTC * rewardPercent) / 100;
    uint256 rewardedWETH = (reclaimedWETH * rewardPercent) / 100;

    // Make sure the value of the rewardAmount is not excessive
    uint256 rewardValue = underlyingTokenValueInUSD( rewardedWBTC, rewardedWETH ); // in 18 decimals
    uint256 maxRewardValue = stableConfig.maxRewardValueForCallingLiquidation(); // 18 decimals
    if ( rewardValue > maxRewardValue )
        {
        rewardedWBTC = (rewardedWBTC * maxRewardValue) / rewardValue;
        rewardedWETH = (rewardedWETH * maxRewardValue) / rewardValue;
        }

    // Reward the caller
    wbtc.safeTransfer( msg.sender, rewardedWBTC );
    weth.safeTransfer( msg.sender, rewardedWETH );

    // Send the remaining WBTC and WETH to the Liquidizer contract so that the tokens can be converted to USDS and burned (on Liquidizer.performUpkeep)
    wbtc.safeTransfer( address(liquidizer), reclaimedWBTC - rewardedWBTC );
    weth.safeTransfer( address(liquidizer), reclaimedWETH - rewardedWETH );

    // Have the Liquidizer contract remember the amount of USDS that will need to be burned.
    uint256 originallyBorrowedUSDS = usdsBorrowedByUsers[wallet];
    liquidizer.incrementBurnableUSDS(originallyBorrowedUSDS);

    // Clear the borrowedUSDS for the user who was liquidated so that they can simply keep the USDS they previously borrowed.
    usdsBorrowedByUsers[wallet] = 0;
    _walletsWithBorrowedUSDS.remove(wallet);

    emit Liquidation(msg.sender, wallet, reclaimedWBTC, reclaimedWETH, originallyBorrowedUSDS);
    }

Tools Used

Recommended Mitigation Steps

use some other incentive for liquidation.

Assessed type

Context

c4-judge commented 5 months ago

Picodes marked the issue as unsatisfactory: Insufficient proof