Griefing attack: attacker can create multiple borrow with dust amount to make protocol suffer bad debt due to lack of incentive to liquidate them

[c4-bot-9]

Lines of code

https://github.com/code-423n4/2024-03-revert-lend/blob/main/src/V3Vault.sol#L550-#L602

Vulnerability details

Vulnerability details

When deploying V3Vault contract, minLoanSize is originally set to 0:

// minimal size of loan (to protect from non-liquidatable positions because of gas-cost)
uint256 public minLoanSize = 0;

And in the uniswap v3, minting position does not have any limitation in value: original code

Attacker can mint multiple positions with small amount, transfer them to V3Vault and use them to borrow. When the price change, and these positions is under-collateralzed, there is no incentive for anyone to liquidate them because cost of gas required to call them is more than value of token they receive back.

Impact

Protocol will suffer bad debt because no one is willing to liquidate them

Tools Used

Manual review

Recommended Mitigation Steps

Variable minLoanSize should be set when initalizing this contract.

Assessed type

Other

[c4-pre-sort]

0xEVom marked the issue as insufficient quality report

[c4-pre-sort]

0xEVom marked the issue as sufficient quality report

[c4-pre-sort]

0xEVom marked the issue as duplicate of #455

[c4-judge]

jhsagd76 marked the issue as satisfactory