search

code-423n4 / 2024-02-wise-lending-findings

11 stars 8 forks source link

Liquidation will DoS in case of tokens with blacklist properties #171

Closed c4-bot-8 closed 5 months ago

c4-bot-8 commented 6 months ago

Lines of code

https://github.com/code-423n4/2024-02-wise-lending/blob/main/contracts/WiseLending.sol#L1250-L1309 https://github.com/code-423n4/2024-02-wise-lending/blob/main/contracts/WiseCore.sol#L681-L685

Vulnerability details

Impact

The liquidation function will DoS if the liquidator wishes to receive the token he is blacklisted for.

Proof of Concept

liquidatePartiallyFromTokens() function is used to liquidate a position, and the liquidator in this case can choose his payback and receive tokens while liquidating, If a liquidator somehow wishes to choose receiveTokens to be token that has blacklist addresses, and if the liquidator is blacklisted for that token, the whole function will revert.

liquidatePartiallyFromTokens() function is calling _coreLiquidation() from WiseCore.sol and which in turn is calling _safeTransfer() to transfer the receiveToken to the liquidator address.

 function _coreLiquidation(
        CoreLiquidationStruct memory _data
    )
        internal
        returns (uint256 receiveAmount)
    {
        _validateNonZero(
            _data.paybackAmount
        );

        uint256 collateralPercentage = WISE_SECURITY.calculateWishPercentage(
            _data.nftId,
            _data.tokenToRecieve,
            WISE_ORACLE.getTokensInETH(
                _data.tokenToPayback,
                _data.paybackAmount
            ),
            _data.maxFeeETH,
            _data.baseRewardLiquidation
        );

        _validateParameter(
            collateralPercentage,
            PRECISION_FACTOR_E18
        );

        _corePayback(
            _data.nftId,
            _data.tokenToPayback,
            _data.paybackAmount,
            _data.shareAmountToPay
        );

        receiveAmount = _calculateReceiveAmount(
            _data.nftId,
            _data.nftIdLiquidator,
            _data.tokenToRecieve,
            collateralPercentage
        );

        WISE_SECURITY.checkBadDebtLiquidation(
            _data.nftId
        );

        _curveSecurityChecks(
            _data.lendTokens,
            _data.borrowTokens
        );

        _safeTransferFrom(
            _data.tokenToPayback,
            _data.caller,
            address(this),
            _data.paybackAmount
        );

  @>      _safeTransfer(
  @>          _data.tokenToRecieve,
  @>          _data.caller,
            receiveAmount
        );
    }

The _safeTransfer will revert for tokens with blacklisted properties such as USDC. This could be unintentional form liquidator side but will potentially lead to DoS of liquidatePartiallyFromTokens() function and unfair loss to the liquidator incentives.

Tools Used

Manual Review

Recommended Mitigation Steps

Put a try / catch around liquidation function for blacklisted token for the caller

Assessed type

DoS

c4-pre-sort commented 6 months ago

GalloDaSballo marked the issue as insufficient quality report

GalloDaSballo commented 6 months ago

Best sent in analysis

c4-pre-sort commented 5 months ago

GalloDaSballo marked the issue as primary issue

c4-judge commented 5 months ago

trust1995 marked the issue as unsatisfactory: Out of scope