User can front-run liquidation by repaying the minimum amount of tokens and gain time to not be liquidated

[c4-bot-6]

Lines of code

https://github.com/code-423n4/2024-03-revert-lend/blob/main/src/V3Vault.sol#L696-L698

Vulnerability details

Impact

A user undergoing the liquidation process can front-run a call to the V3Vault.sol::liquidate by manipulating debtShares variable. This is possible due to the equality requirement of user's loan debtShares and LiquidateParams.debtShares at lines 696-698:

        if (debtShares != params.debtShares) {
            revert DebtChanged();
        }

To achieve that, a user can repay their loan with a minimal amount of tokens by calling V3Vault.sol::repay() function. This will cause debtShares update as can be seen in lines 990-991.

        uint256 loanDebtShares = loan.debtShares - shares;
        loan.debtShares = loanDebtShares;

In this manner, a user can evade liquidation an unlimited number of times as long as it remains economically viable for them, potentially leading to bad debt for the protocol.

Proof of Concept

1. Alice deposits and borrows X amount.
2. The collateral price moves down, exposing Alice's loan to the possible liquidation.
3. Bob the Liquidator executes liquidation of Alice's loan specifying debtShares of the loan as it is last seen on V3Vault contract.
4. Alice executes the repay transaction with several wei of the token and a higher gas price. This leads debtShares of the loan to change (move down).
5. Bob's transaction reverts, leaving Alice's loan unhealthy and not liquidated.

Tools Used

Manual review.

Recommended Mitigation Steps

Remove debtShares equality check and rely solely on the loan health status.

Assessed type

Other

[c4-pre-sort]

0xEVom marked the issue as sufficient quality report

[c4-pre-sort]

0xEVom marked the issue as duplicate of #231

[c4-pre-sort]

0xEVom marked the issue as duplicate of #222

[c4-judge]

jhsagd76 changed the severity to 2 (Med Risk)

[c4-judge]

jhsagd76 marked the issue as satisfactory