Closed c4-bot-4 closed 5 months ago
GalloDaSballo marked the issue as duplicate of #237
GalloDaSballo marked the issue as insufficient quality report
trust1995 marked the issue as partial-50
trust1995 marked the issue as full credit
trust1995 marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseSecurity/WiseSecurityHelper.sol#L876-L900 https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseLending.sol#L1250-L1309
Vulnerability details
The
WiseSecurity.sol
has a glitch in thechecksLiquidation
andcheckMaxShares
functions, where a user can prevent liquidation by front-running the liquidator. This is achieved by topping up their position with a minimal amount (e.g., 1 share) just before the liquidation transaction is processed. This method exploits the liquidation logic that determines the maximum shares a liquidator can acquire based on the current debt and collateral level. If the liquidator attempts to liquidate the maximum possible value to drive the price to healthly state or up to 50% for liquidations that don't have enough bad debt, the user can make a small top-up to their position, causing the liquidator's transaction to revert due to theTooManyShares
error. Moreover, on Layer 2 networks where transaction costs are relatively low, users can repeatedly exploit this vulnerability with minimal expense, further driving their positions into bad debt.Impact
Unhealthly positions can delay being liquidated by making minimal top-ups to their accounts.
Proof of Concept
A user's account is on the verge of liquidation.
A liquidator attempts to liquidate this account by calculating the maximum shares they can acquire, as defined in the
checkMaxShares
function.Before the liquidator's transaction is mined, the user sends a transaction to slightly increase their collateral (by as little as 1 share or min amount that will revert).
The liquidator's transaction then checks if the share amount to pay exceeds the maximum allowed shares, which now includes the user's tiny top-up.
Because of this top-up, the liquidation transaction exceeds the maximum allowed shares and is reverted by the
TooManyShares
error, preventing the liquidation.The user can pay back any amount of shares, as low as 1, because there is no check for min value:
Tools Used
Manual Review
Recommended Mitigation Steps
Require minimum amount of repayment from user as with deposits, for example
min(userDebtInUSD, WISE_SECURITY.checkPoolWithMinDeposit(...))
. This will be more costly for the user and will limit the possible duration of bad debt attack.Assessed type
DoS