Closed c4-bot-3 closed 6 months ago
0xEVom marked the issue as insufficient quality report
Unclear that this assumption is indeed made.
The units of feeValue and fee0, fee1 are not the same here; one represents value and the other represents tokens. The underlying calculation of feeValue is entirely the same as that of fee0 and fee1, with the only potential discrepancy arising from separately calculating their values.
jhsagd76 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-03-revert-lend/blob/main/src/V3Vault.sol#L1054-L1055 https://github.com/code-423n4/2024-03-revert-lend/blob/main/src/V3Vault.sol#L1275 https://github.com/code-423n4/2024-03-revert-lend/blob/main/src/V3Oracle.sol#L121
Vulnerability details
Impact
The Protocol is wrongly assuming that the sum of fee0 and fee1 would always be equal fee value, which was used to share liquidation value at _sendPositionValue(...) function. In a situation fee0 + fee1 is not equal feeValue, the excess liquidation value would be lost completely as it is not accounted for in the contract.
Proof of Concept
The _sendPositionValue(...) function above in the V3Vault contract shows how liquidationValue is shared whenever it is less than feeValue, as noted from the 2nd and 3rd pointers above, from the implementation, liquidity is reduced to zero why the liquidationValue is shared in the ratio of fees0 to fees1 with the assumption that sum of both would be equal feeValue. The first pointer shows how fees0 & fees1 are gotten from Oracle contract and a trackdown of feeValue shows that it is also called from the Oracle contract as noted in the code provided below.
Finally, The code Provided below is from the Oracle Contract, it shows the interaction between feeValue and fee1 and fee0. Due to the complexities of the interaction between price0X96 , price1X96 and priceTokenX96 in deriving feeValue, there is no guarantee that feeValue would equal the sum of fee1 & fee0. As prices are always changing
Tools Used
Manual Review
Recommended Mitigation Steps
The protocol should not assume feeValue would always equal fee0 + fee1 instead should make arrangement to ensure the liquationValue in the _sendPositionValue(...) function of the V3Vault.sol contract is not lost due to this wrong assumption.
Assessed type
Math