c4-bot-4 commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-04-lavarage/blob/9e8295b542fb71b2ba9b4693e25619585266d19e/libs/smart-contracts/programs/lavarage/src/processor/liquidate.rs#L27

Vulnerability details

Impact

Lenders will experience net losses, since under-collateralized positions won't be liquidatable

Proof of Concept

The current implementation of the liquidate function currently has a LTV check that looks like this:

require!(ctx.accounts.position_account.amount * 1000 / position_size  > 900, FlashFillError::ExpectedCollateralNotEnough );

What it does is that it checks whether the LTV of the position that is attempted to be liquidates is greater than 90%. If it is, it proceeds and liquidates the specified position and if it isn't, it reverts the transaction execution. There is one critical value that it does not take into account though - the amount of accrued interest fees.

What this can lead to is that in the event where a borrower has accrued a lot of interest fees, so much that their borrowerd amount + accumulated interest fees is > their collateral's worth in SOL, they will most likely decide to not repay their loan, as this will be the more economically favorable option for them. In that case, if their LTV calculated by the above formula is less than 90%, their position will be also be non-liquidatable. And in that case, since their collateral is locked within the PDA for their position, the lender from who's trading pool they took the loan from will experience a big loss, as they will neither be able to get back their SOL from that loan nor the collateral for it.

Tools Used

Manual review

Recommended Mitigation Steps

Take the accrued interest fees into account when making the LTV check in the liquidate function

Assessed type

Math