Open c4-bot-2 opened 4 months ago
kalinbas marked the issue as disagree with severity
FlashloanLiquidator is not needed when liquidationCost = 0. It can be just liquidated directly.
kalinbas (sponsor) acknowledged
Hi @kalinbas , thank you for your response.
As I stated in the finding, I understand that if liquidationCost is 0 then there is no need to flash loan and user can just call V3Vault.liquidate directly.
However, most users will not calculate the liquidationCost themselves and they can't anticipate the value at the time they call liquidate
on FlashloanLiquidator
. If FlashloanLiquidator
reverts then the users will loose an opportunity to liquidate before others since it might be too late when they realize their transaction reverts and call liquidate
on Vault again.
Can you check?
I agree with the sponsor's viewpoint. In fact, I believe that the current implementation better conforms to the code standards (just IMO). The clearer the boundaries of specific functionalities within a fully functional system, the fewer vulnerabilities there will be under edge conditions.
jhsagd76 changed the severity to QA (Quality Assurance)
jhsagd76 marked the issue as grade-a
Lines of code
https://github.com/revert-finance/lend/blob/audit/src/utils/FlashloanLiquidator.sol#L43-L45
Vulnerability details
Impact
Users cannot liquidate positions in case
liquidationCost
= 0.Proof of concept
The contract
FlashloanLiquidator
is used by users who want to flash loan for tokens in order to liquidate loan positions. The functionFlashloanLiquidator.liquidate
will first checks and reverts ifliquidationCost = 0
:The assumption that if
liquidationCost =0
then the position is not liquidatable is not correct, since in functionV3Vault._calculateLiquidation
, this value can be zero offullValue <= penalty
orfullValue <= 10% debt
:I understand that if liquidationCost is 0 then there is no need to flash loan and user can just call
V3Vault.liquidate
directly. However, most normal users will never calculate theliquidatorCost
themselves; they will rely onFlashloanLiquidator
and expect that even in cases whereliquidatorCost
is 0, they can still liquidate the positions. Otherwise it will make them unable to liquidate positions before others.Recommended mitigation
I think Revert Lend should also returns the
isHealthy
variable in functionloanInfo
, this will help distinguish between 2 cases both havingliquidationCost=0
; one is that the position is indeed not healthy andliquidationCost = 0
, the other is that the position is Healthy.Then, in
FlashloanLiquidator
, if the position is liquidatable andliquidationCost = 0
, simply callliquidate
for the user without taking flash loan.Assessed type
Invalid Validation