Closed c4-bot-6 closed 6 months ago
0xEVom marked the issue as sufficient quality report
0xEVom marked the issue as duplicate of #231
0xEVom marked the issue as duplicate of #222
jhsagd76 changed the severity to 2 (Med Risk)
jhsagd76 marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2024-03-revert-lend/blob/main/src/V3Vault.sol#L696-L698
Vulnerability details
Impact
A user undergoing the liquidation process can front-run a call to the
V3Vault.sol::liquidate
by manipulatingdebtShares
variable. This is possible due to the equality requirement of user's loandebtShares
andLiquidateParams.debtShares
at lines 696-698:To achieve that, a user can repay their loan with a minimal amount of tokens by calling
V3Vault.sol::repay()
function. This will causedebtShares
update as can be seen in lines 990-991.In this manner, a user can evade liquidation an unlimited number of times as long as it remains economically viable for them, potentially leading to bad debt for the protocol.
Proof of Concept
debtShares
of the loan as it is last seen on V3Vault contract.repay
transaction with several wei of the token and a higher gas price. This leadsdebtShares
of the loan to change (move down).Tools Used
Manual review.
Recommended Mitigation Steps
Remove
debtShares
equality check and rely solely on the loan health status.Assessed type
Other