V3Vault.liquidate() accepts LiquidateParams calldata params as input data which looks like this:
struct LiquidateParams {
// token to liquidate
uint256 tokenId;
// expected debt shares - reverts if changed in the meantime
uint256 debtShares;
// min amount to recieve
uint256 amount0Min;
uint256 amount1Min;
// recipient of rewarded tokens
address recipient;
// if permit2 signatures are used - set this
bytes permitData;
}
the recipient field of the struct is the address where the reward tokens should be sent after liquidation.
Problem was that liquidate() was sending the tokens to msg.sender instead of params.recipient, which broke the protocol expected behaviour
Mitigation
PR-20 successfully mitigates the original issue by replacing msg.sender with params.recipient
Lines of code
Vulnerability details
C4 Issue
M-09: Liquidation reward sent to msg.sender instead of recipient
Issue Details
V3Vault.liquidate()
acceptsLiquidateParams calldata params
as input data which looks like this:the
recipient
field of the struct is the address where the reward tokens should be sent after liquidation.Problem was that
liquidate()
was sending the tokens tomsg.sender
instead ofparams.recipient
, which broke the protocol expected behaviourMitigation
PR-20 successfully mitigates the original issue by replacing
msg.sender
withparams.recipient
Conclusion
Mitigation Confirmed