M-09 MitigationConfirmed

[c4-bot-2]

Lines of code

Vulnerability details

C4 Issue

M-09: Liquidation reward sent to msg.sender instead of recipient

Issue Details

V3Vault.liquidate() accepts LiquidateParams calldata params as input data which looks like this:

 struct LiquidateParams {
        // token to liquidate
        uint256 tokenId;
        // expected debt shares - reverts if changed in the meantime
        uint256 debtShares;
        // min amount to recieve
        uint256 amount0Min;
        uint256 amount1Min;
        // recipient of rewarded tokens
        address recipient;
        // if permit2 signatures are used - set this
        bytes permitData;
    }

the recipient field of the struct is the address where the reward tokens should be sent after liquidation.

Problem was that liquidate() was sending the tokens to msg.sender instead of params.recipient, which broke the protocol expected behaviour

Mitigation

PR-20 successfully mitigates the original issue by replacing msg.sender with params.recipient

Conclusion

Mitigation Confirmed

[c4-judge]

jhsagd76 marked the issue as satisfactory

[c4-judge]

jhsagd76 marked the issue as confirmed for report