Liquidating a position in V3Vault.sol used to directly send back the NFT to its owner in the same transaction. This allowed a malicious borrower contract to make its onERC721Received() function revert and prevent liquidation from happening
Mitigation
PR-8 successfully mitigates the original issue by implementing the pull over push pattern when returning position NFTs to their owners:
the _cleanupLoan() function used inside liquidate() to send the liquidated position NFT to its owner has been refactored so that it only clears the position from the loan, without sending it directly.
a separate remove() method has been added, so that the owner can withdraw the NFT from the protocol
Due to the changes, liquidation() cannot be DOSed through this vector.
Lines of code
Vulnerability details
C4 Issue
H-06: Owner of a position can prevent liquidation due to the 'onERC721Received' callback
Issue Details
Liquidating a position in
V3Vault.sol
used to directly send back the NFT to its owner in the same transaction. This allowed a malicious borrower contract to make itsonERC721Received()
function revert and prevent liquidation from happeningMitigation
PR-8 successfully mitigates the original issue by implementing the
pull over push
pattern when returning position NFTs to their owners:_cleanupLoan()
function used insideliquidate()
to send the liquidated position NFT to its owner has been refactored so that it only clears the position from the loan, without sending it directly.remove()
method has been added, so that the owner can withdraw the NFT from the protocolDue to the changes,
liquidation()
cannot be DOSed through this vector.Conclusion
Mitigation Confirmed