Closed c4-bot-6 closed 3 months ago
Worth considering
GalloDaSballo marked the issue as sufficient quality report
GalloDaSballo marked the issue as primary issue
Can also be circumvented by just paying back after borrowing. Doesnt really add any value imo
trust1995 marked issue #255 as primary and marked this issue as a duplicate of 255
trust1995 marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2024-02-wise-lending/blob/main/contracts/WiseSecurity/WiseSecurity.sol#L1092-L1109 https://github.com/code-423n4/2024-02-wise-lending/blob/main/contracts/WiseLending.sol#L1553-L1581
Vulnerability details
Impact
There is no incentive for liquidators to liquidate small positions (even under $100), especially on Mainnet, this will result in bad debt accrued for the WiseLending system because no one will be willing to remove the position and
FEE_MANAGER
will not be able to split the bad debt between depositors.Proof of Concept
If we take a look at the current gas prices on Mainnet:
We can see the current transaction prices varying and in peak hours they can be up to 5 times more, without additional costs of liquidation logic execution.
That way if there are many borrow positions eligible for liquidation but with unsatisfactory incentives for liquidators (liquidator receives less than the cost of executing the liquidation) and they approach insolvency, receiving roughly 5.90 USD incentive for the 100 USD borrow, it will lead to big harm for the protocol since they will result in an unaccounted bad debt for the system, without a proper way to be mitigated.
We can see in the code that there is no validation for the minimum borrowable amount, it has only to be enough to keep the position healthy.
In fact, there is a check for the
minDepositEthValue
when depositing:WiseSecurity.sol#L1092-L1109
But it can do nothing to prevent this malicious action to be executed.
For the borrow flow, there is no minimum borrowable amount.
WiseLending.sol#L1553-L1581
Tools Used
Manual Review
Recommended Mitigation Steps
Similar to the deposit functions, consider adding
minBorrowEthValue
to prevent such scenarios, otherwise to keep the solvency of the wholepoolMarket
admins of Wise will have to liquidate such a positions, losing money in gas fees without receiving anything back.Assessed type
Invalid Validation