When calculating the liquidation value for loan, Revert implements the following formula to calculate the starting liquidation value in _calculateLiquidation():
collateralValue is derived from the _checkLoanIsHealthy() function. This function calculates the collateral factor based on the collateral token's collateralFactorX32 value:
Besides representing the collateral factor for a token, collateralFactorX32 also doubles as a token whitelist flag. If collateralFactorX32 is set to 0, then Revert assumes that token is blacklisted and not-in-use.
With this in mind, any time _calculateLiquidation() is called, the collateralValue from _checkLoanIsHealthy() is used. This means that if a token is whitelisted:
A loan is created.
The token is blacklisted.
The loan becomes liquidatable.
Liquidator liquidates the loan. _calculateLiquidation() is called. Because collateralValue is considered 0, a division by zero error will occur. This prevents any liquidator from liquidating the "orphaned" loan.
Mitigation
PR #25
The fix is straightforward. Within _calculateLiquidation(), the collateral value is checked if it's zero. If the value is zero, the protocol defaults the liquidation value to the max penalty value: debt * (Q32 + MAX_LIQUIDATION_PENALTY_X32) / Q32. This change avoids using collateralValue as a denominator if the value is zero. In addition, by setting the value to the max liquidation penalty, Revert is incentivizing it's liquidators to liquidate loans with blacklisted collateral tokens, expediting the removal of all "orphaned" loans.
If the collateralValue is greater than 0, then Revert will follow the original implementation and utilize the start liquidation value formula. Because of the collateralValue > 0 check, we are guaranteed that a zero by division error will not occur.
Lines of code
Vulnerability details
Lines of code
Vulnerability details
C4 issue
M-20: Tokens can't be removed as a collateral
Comments
When calculating the liquidation value for loan, Revert implements the following formula to calculate the starting liquidation value in _calculateLiquidation():
collateralValue is derived from the _checkLoanIsHealthy() function. This function calculates the collateral factor based on the collateral token's collateralFactorX32 value:
Besides representing the collateral factor for a token, collateralFactorX32 also doubles as a token whitelist flag. If collateralFactorX32 is set to 0, then Revert assumes that token is blacklisted and not-in-use.
With this in mind, any time _calculateLiquidation() is called, the collateralValue from _checkLoanIsHealthy() is used. This means that if a token is whitelisted:
Mitigation
PR #25
The fix is straightforward. Within _calculateLiquidation(), the collateral value is checked if it's zero. If the value is zero, the protocol defaults the liquidation value to the max penalty value:
debt * (Q32 + MAX_LIQUIDATION_PENALTY_X32) / Q32
. This change avoids using collateralValue as a denominator if the value is zero. In addition, by setting the value to the max liquidation penalty, Revert is incentivizing it's liquidators to liquidate loans with blacklisted collateral tokens, expediting the removal of all "orphaned" loans.If the collateralValue is greater than 0, then Revert will follow the original implementation and utilize the start liquidation value formula. Because of the
collateralValue > 0
check, we are guaranteed that a zero by division error will not occur.Conclusion
LGTM