The issue is that liquidation reward is sent to msg.sender instead of recipient in LiquidateParams config:
struct LiquidateParams {
// token to liquidate
uint256 tokenId;
// expected debt shares - reverts if changed in the meantime
uint256 debtShares;
// min amount to recieve
uint256 amount0Min;
uint256 amount1Min;
// recipient of rewarded tokens
address recipient;
// if permit2 signatures are used - set this
bytes permitData;
}
// send promised collateral tokens to liquidator
(amount0, amount1) =
_sendPositionValue(params.tokenId, state.liquidationValue, state.fullValue, state.feeValue, msg.sender);
Mitigation
PR #20
The mitigation code changes msg.sender to params.recipient to sent liquidation reward to the input recipient instead:
Lines of code
Vulnerability details
C4 issue
M-09: Liquidation reward sent to msg.sender instead of recipient
Comment
The issue is that liquidation reward is sent to
msg.sender
instead ofrecipient
inLiquidateParams
config:Mitigation
PR #20 The mitigation code changes
msg.sender
toparams.recipient
to sent liquidation reward to the input recipient instead:The mitigation solved the original issue
Conclusion
LGTM