Closed c4-bot-5 closed 5 months ago
Picodes marked the issue as primary issue
othernet-global (sponsor) disputed
This effect of rounding in the face of the large values involved is acceptable.
In the absence of proof that the impact of this small rounding issue can be significant I'll invalidate.
Picodes marked the issue as unsatisfactory: Overinflated severity
Lines of code
https://github.com/code-423n4/2024-01-salty/blob/main/src/stable/CollateralAndLiquidity.sol#L322-L334
Vulnerability details
Impact
The
CollateralAndLiquidity.findLiquidatableUsers
function is used to find the list of borrowers who does not complement atleast theminimumCollateralRatioPercent
and are eligible to be liquidated.To evaluate whether a a single
borrowed wallet
is liquidatable based on its borrowed amount andminimumCollateralRatioPercent
is perfomed as shown below:As it is evident from the above code snippet the
minCollateralValue
is rounded down. As a result theminCollateralValue
does not complement theminimumCollateralRatioPercent
. Due to the rounding down of theminCollateralValue
the actualcollateral ratio
now will be slightly less than theminimumCollateralRatioPercent
which is not the expected funcitonality or behaviour of thesalty
protocol when it comes to liquidations. Here the rounding is happening in favour of the borrower and not in favour of the protocolFurthermore
minCollateral
value calculation is also rounded down. since it rounds down the user can have less than the minimum collateral liquidity required. Since theminCollateral
value is calculated using theminCollateralValue
which was rounded down and theminCollateral
value is itself rounded down the resultingminCollateral
value does not complement theminimumCollateralRatioPercent
value. Which means the calculatedminCollateral
value for the user will result in a lower collateral ratio than theminimumCollateralRatioPercent
.The following check is performed to verify whether the
wallet
address is liquidatable.Here the
user liquidity share of the collateral pool
is checked against the calculatedminCollateral
value. If theuser liquidity share of the collateral pool
is less than theminCollateral
value the wallet is considered liquidatable. But the issue here is that theminCollateral
value is a value which was rounded down twice and is a value less than what it should be.For example assume the calculated
minCollateral
value is 2500. And theuserShareForPool
value is 2501. As a result thewallet
is not liquidatable since theuserShareForPool( wallet, collateralPoolID ) > minCollateral
. But due to rounding downminCollateral
value does not complement theminimumCollateralRatioPercent
ratio. If theminimumCollateralRatioPercent
ratio was complemented then theminCollateral
value should be more than the current value.Had the
minCollateral
value was rounded up during its calculation rather than rounding down then theminCollateral
value could be2502
. In which case theuserShareForPool
value of2501
will be less than the2502
. In this case thewallet
address is considered liquidatable.Hence it is clear from the above explanation the rounding down of the
minCollateral
value in theCollateralAndLiquidity.findLiquidatableUsers
function could lead to erroneous results with regards to theliquidatable wallets
. The wallets which should be consideredliquidatable
are not considered so due to the rounding down of theminCollateral
value.Proof of Concept
https://github.com/code-423n4/2024-01-salty/blob/main/src/stable/CollateralAndLiquidity.sol#L322-L334
Tools Used
Manual Review and VSCode
Recommended Mitigation Steps
Hence it is recommended to perform the rounding in favor of the protocol. Hence it is recommended to
round up
theminCollateralValue
value calculation and theminCollateral
value calculation such that those values complement theminimumCollateralRatioPercent
ratio. Furthermore this will correctly choose theliquidatable wallets
out of the borrowed wallets which do not at least has theminimum collateral ratio
.Assessed type
Other