Original vulnerabilities/impacts:
The report raises a vulnerable case during the liquidation auction settlement process. Where there are insufficient proceeds from the auction to pay for all tranche lenders, the lenders who are not paid will not be called to notify loan liquidation settlement. And if the lender is a loanManager/pool, the pool contract will not have a chance to update accounting (e.g. adjusting sumAPR, or settle bad debts).
The core vulnerability is the for-loop of handling proceeds will break as soon as there are no _proceeds left to distribute, which will directly skip calling LoanManager(_tranche.lender).loanLiquidation() in _handleLoanManagerCall().
The mitigation is to let the for-loop finishing run for each tranche iteration, which will call LoanManager(_tranche.lender).loanLiquidation() to notify liquidation settlement. And only check and transfer proceeds when _proceedsLeft !=0.
This mitigation eliminates the vulnerability and resolves the issue.
Lines of code
Vulnerability details
C4 Issue
M-18: distribute() when can't repay all lenders, may lack of notification to LoanManager for accounting
Comments
Original vulnerabilities/impacts: The report raises a vulnerable case during the liquidation auction settlement process. Where there are insufficient proceeds from the auction to pay for all tranche lenders, the lenders who are not paid will not be called to notify loan liquidation settlement. And if the lender is a loanManager/pool, the pool contract will not have a chance to update accounting (e.g. adjusting sumAPR, or settle bad debts).
The core vulnerability is the for-loop of handling proceeds will break as soon as there are no _proceeds left to distribute, which will directly skip calling
LoanManager(_tranche.lender).loanLiquidation()
in_handleLoanManagerCall()
.Mitigation
Fix: https://github.com/pixeldaogg/florida-contracts/pull/391
The mitigation is to let the for-loop finishing run for each tranche iteration, which will call
LoanManager(_tranche.lender).loanLiquidation()
to notify liquidation settlement. And only check and transfer proceeds when _proceedsLeft !=0.This mitigation eliminates the vulnerability and resolves the issue.
Conclusion
LGTM