c4-pre-sort
commented
8 months ago 0xEVom marked the issue as duplicate of #384
Closed c4-bot-10 closed 8 months ago
c4-pre-sort
commented
8 months ago 0xEVom marked the issue as duplicate of #384
c4-pre-sort
commented
8 months ago 0xEVom marked the issue as insufficient quality report
c4-judge
commented
7 months ago jhsagd76 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-03-revert-lend/blob/435b054f9ad2404173f36f0f74a5096c894b12b7/src/utils/FlashloanLiquidator.sol#L41-L65
Vulnerability details
Impact
In a seperate submitted report, it was stated that a user can self-liquidate. This is also possible by through the FlashLoanLiquidator Contract.
It is possible for a tokenOwner to liquidate their collaterized tokenId rather then repaying the borrowed funds by calling the FlashLoanLiquidator.liquidate() . With this, even though the caller of V3Vault.liquidate() will be the FlashLoanLiquidator Contract, the user is still self-liquidating as the owner of the tokenId and liquidator in the
FlashCallbackDataSince the FlashLoanLiquidator.liquidate() function does not check that the caller is not the token owner, then it is possible for the tokenOwner[tokenId] to be the liquidate their own borrowed funds to get back their nonfungiblePositionManager position token and extra erc20 assets
Proof of Concept
In https://github.com/code-423n4/2024-03-revert-lend/blob/435b054f9ad2404173f36f0f74a5096c894b12b7/src/utils/FlashloanLiquidator.sol#L41-L65 , there is no check for caller to not be the tokenOwner.
Tools Used
Manual
Recommended Mitigation Steps
Apply a check to ensure that the caller is not owner of the tokenId, i.e
require(msg.sender != params.vault.ownerOf(params.tokenId)).Assessed type
Other