c4-bot-10 commented 6 months ago

Lines of code

https://github.com/code-423n4/2024-03-revert-lend/blob/435b054f9ad2404173f36f0f74a5096c894b12b7/src/V3Vault.sol#L744

Vulnerability details

Summary

The liquidation can be prevented by the token owner without any problem. This would lead to the borrowers being unliquiditable.

Description

In the V3Vault.sol contract, the liquidate function has a major flaw. This is due to the owner of the NFT receiving the NFT via a safeTransfer which makes an external call the owner itself allowing him to revert the entire transaction(by reverting inside the onERC721Received function). The transfer itself happens on the _cleanupLoan function after removing the token from the owner in the lastTokenIndex and deleting the loan itself.

Impact

Since this would make the loans unliquiditable the protocol would not be used, since no one would want to lend money and not be able to recover it if the borrower does not wish to repay.

Proof Of Concept

Alice position state: Liquidatable.

Bob sees that Alice can be liquidated, and calls liquidate

Expected result:

Alice position state: Liquidated.
Bob is rewarded for calling liquidate.

Actual result if Alice wishes:

Alice position state: Liquidatable.
Bob is not rewarded since the liquidate call reverts.

Mitigation Steps

I would recommend to make the owner claim the NFT after a liquidation occurs.

Assessed type

DoS

c4-pre-sort commented 6 months ago

0xEVom marked the issue as sufficient quality report

c4-pre-sort commented 6 months ago

0xEVom marked the issue as duplicate of #54

c4-judge commented 6 months ago

jhsagd76 marked the issue as satisfactory

code-423n4 / 2024-03-revert-lend-findings

Borrower can prevent being liquidated. #499