The liquidation can be prevented by the token owner without any problem. This would lead to the borrowers being unliquiditable.
Description
In the V3Vault.sol contract, the liquidate function has a major flaw. This is due to the owner of the NFT receiving the NFT via a safeTransfer which makes an external call the owner itself allowing him to revert the entire transaction(by reverting inside the onERC721Received function).
The transfer itself happens on the _cleanupLoan function after removing the token from the owner in the lastTokenIndex and deleting the loan itself.
Impact
Since this would make the loans unliquiditable the protocol would not be used, since no one would want to lend money and not be able to recover it if the borrower does not wish to repay.
Proof Of Concept
Alice position state: Liquidatable.
Bob sees that Alice can be liquidated, and calls liquidate
Expected result:
Alice position state: Liquidated.
Bob is rewarded for calling liquidate.
Actual result if Alice wishes:
Alice position state: Liquidatable.
Bob is not rewarded since the liquidate call reverts.
Mitigation Steps
I would recommend to make the owner claim the NFT after a liquidation occurs.
Lines of code
https://github.com/code-423n4/2024-03-revert-lend/blob/435b054f9ad2404173f36f0f74a5096c894b12b7/src/V3Vault.sol#L744
Vulnerability details
Summary
The liquidation can be prevented by the token owner without any problem. This would lead to the borrowers being unliquiditable.
Description
In the
V3Vault.sol
contract, theliquidate
function has a major flaw. This is due to the owner of the NFT receiving the NFT via a safeTransfer which makes an external call the owner itself allowing him to revert the entire transaction(by reverting inside theonERC721Received
function). The transfer itself happens on the_cleanupLoan
function after removing the token from the owner in the lastTokenIndex and deleting the loan itself.Impact
Since this would make the loans unliquiditable the protocol would not be used, since no one would want to lend money and not be able to recover it if the borrower does not wish to repay.
Proof Of Concept
Bob sees that Alice can be liquidated, and calls
liquidate
Expected result:
Actual result if Alice wishes:
Mitigation Steps
I would recommend to make the owner claim the NFT after a liquidation occurs.
Assessed type
DoS