Closed c4-bot-9 closed 5 months ago
GalloDaSballo marked the issue as sufficient quality report
Worth reviewing
GalloDaSballo marked the issue as primary issue
A rounding issue has been demonstrated, causing misaccounting of 1 wei. However it has not been lifted to the impact required for Medium+ severity.
trust1995 changed the severity to QA (Quality Assurance)
trust1995 marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseLending.sol#L1250 https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/MainHelper.sol#L114 https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseCore.sol#L123 https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseCore.sol#L106
Vulnerability details
Vulnerability Details:
The liquidatePartiallyFromTokens function is used to liquidate a position which reaches a debt ratio greater than 100%. The liquidator can choose the token to payback and receive. (Both can differ). The amount to pay back is in shares of the payback token. The liquidator gets an incentive which is calculated inside the liquidation logic.
The function gets the paybackAmount by converting the users specified pay back shares using the paybackAmount function. The problem here is because the paybackAmount calculation rounds up a user can call the liquidatePartiallyFromTokens function with zero in _shareAmountToPay and the paybackAmount will be one.
This means the liquidation will proceed, setting the paybackAmount to 1 and updating the TotalPool and PseudoTotalBorrowAmount, yet leaving the TotalBorrowShares and userBorrowShares unchanged. This introduces inaccuracies into the protocol's balances, as a proper liquidation should simultaneously update both shares and amounts with it not being possible for one of them being zero while the other is nonzero.
This verification is correctly applied in cases where the amount is rounded down within the protocol, such as through the _validateNonZero check within the _handleDeposit function. However, this check is absent in scenarios where a user indicates zero shares.
Impact:
In such cases, the protocol's balances will be corrupted, and moreover, this vulnerability could be exploited to manipulate prices, an issue that has been observed on numerous occasions in the past.
Proof Of Concept
Tools Used:
Recommendation:
Add a check to ensure the specified _shareAmountToPay is greater then zero.
Assessed type
Other