M-24 MitigationConfirmed

[c4-bot-10]

Lines of code

Vulnerability details

Lines of code

https://github.com/revert-finance/lend/blob/audit/src/V3Vault.sol?plain=1#L1211

Vulnerability details

C4 issue

M-24: Incorrect liquidation fee calculation during underwater liquidation, disincentivizing liquidators to participate

Comments

When a liquidator liquidates a loan, the liquidator must pay a liquidation fee. This fee according to the Revert whitepaper should be calculated as 10% of the debt. However, in V3Vault._calculateLiquidation(), the liquidation fee is calculated as:

uint256 penaltyValue = fullValue * (Q32 - MAX_LIQUIDATION_PENALTY_X32) / Q32;

fullValue represents the full value of the collateral. This formula is incorrect as the penaltyValue is calculated as fullValue * 90%. Instead, the formula should be defined as debt * 10%.

Mitigation

PR #7

This PR resolves one major fix with a minor unrelated change.

The major fixes include:

• If debt + max penalty exceeds fullValue, the penalty is now calculated as debt * 10%. Revert introduces a new safety check here. This op checks if the NFT position's full value exceeds the penalty. If it does, Revert then deducts the penalty from the fullValue and sets the liquidatorCost to fullValue - penalty. This allows a liquidator to receive the penalty portioned from the NFT position full value.

If the penalty exceeds the fullValue, the liquidator will not have to pay anything for the liquidation. Next, the liquidationValue is set to fullValue, indicating that the liquidator will receive the full NFT position value. Finally, the reserve cost is set to debt - liquidatorCost. Since the liquidator is covering the liquidatorCost, the reserves will cover the delta between debt and liquidatorCost.

Minor changes:

• Revert will only call token.transferFrom() when liquidatorCost is zero.
• Revert converts _requireMaxDifference()'s maxDifferenceX10000 argument from a uint256 to uint16. In addition, when checking if the price difference has exceeded an acceptable value, Revert now checks if maxDifferenceX10000 is below uint16 max value: maxDifferenceX10000 < type(uint16).max. This additional check has no impact on original issue documented but was worth mentioning as it's part of PR #7.

To sum up, by setting the penalty to debt * 10%, the liquidator will now receive the appropriate discount for liquidating the bad loan. If the penalty exceeds the fullValue, although the liquidator will receive the full value of the position they will not receive the full 10% debt discount. I believe this is acceptable as the liquidator is not paying anything for the liquidation.

Conclusion

LGTM

[c4-judge]

jhsagd76 marked the issue as satisfactory

[c4-judge]

jhsagd76 marked the issue as confirmed for report