search

code-423n4 / 2024-01-salty-findings

11 stars 6 forks source link

The borrower's actions, such as repaying USDS or depositing collateral, may be vulnerable to front-running and subsequent liquidation #534

Closed c4-bot-9 closed 9 months ago

c4-bot-9 commented 9 months ago

Lines of code

https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/stable/CollateralAndLiquidity.sol#L140-L188 https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/stable/CollateralAndLiquidity.sol#L311-L342

Vulnerability details

Impact

There is no waiting time for a user to be liquidated. Thus, it's possible that the borrower's actions, such as repaying USDS or depositing collateral, may be front-run and get liquidated.

Proof of Concept

Since the reward will be distributed to the liquidator, MEV bots have incentive to call findLiquidatableUsers and liquidate Users.

        wbtc.safeTransfer( msg.sender, rewardedWBTC );
        weth.safeTransfer( msg.sender, rewardedWETH );

But if a user wants to avoid being liquidated, he should try repaying USDS or depositing collateral. However, his transaction could be front-run and subsequent liquidation may occur. Since there is no waiting or confirmation time, the borrower can do nothing about it.

Tools Used

Manual

Recommended Mitigation Steps

Add waiting or confirmation time after the liquidation is called, if the time has passed, the user could really be liquidated.

Assessed type

MEV

c4-judge commented 9 months ago

Picodes marked the issue as unsatisfactory: Invalid