c4-bot-8 commented 3 months ago

Lines of code

Vulnerability details

C4 Issue

H-11: Incorrect protocol fee implementation results in outstandingValues to be mis-accounted in Pool.sol

Comments

Original vulnerabilities: When emitting a loan, protocol fee associated with loan will be factored into _outstandingValues.sumApr.Specifically, a netAPR (after protocol fee deduction APR) will be added into _outstandingValues.sumApr value.

The problem is when closing a loan after the loan liquidation auction’s settlement, protocol fee is not accounted for. _outstandingValues.sumApr will be offset by a bigger APR (pre-fee deduction APR) value than when the loan is initiated.

Original impacts: This results in incorrect _oustandingValues being used in all subsequent loan accounting.

Mitigation

Fix: https://github.com/pixeldaogg/florida-contracts/pull/378/files

//src/lib/LiquidationDistributor.sol
    function distribute(uint256 _proceeds, IMultiSourceLoan.Loan calldata _loan) external {
...
|>        uint256 protocolFee = _loan.protocolFee;
...
            for (uint256 i = 0; i < _loan.tranche.length;) {
                IMultiSourceLoan.Tranche calldata thisTranche = _loan.tranche[i];
                _handleTrancheExcess(
                    _loan.principalAddress,
                    thisTranche,
                    msg.sender,
                    _proceeds,    
                    totalPrincipalAndPaidInterestOwed + totalPendingInterestOwed,
|>                  protocolFee
                );
...

The mitigation is to offset outstandingValues.sumApr by the same netAPR as when the corresponding loan is initiated. This including modifying helper functions such as _handleTrancheExcess() , _handleTrancheInsufficient(), _handleLoanManagerCall() and passing the _loan.protocolFee to the loanLiquidation() call.

The mitigation eliminates the vulnerability and resolves the issue.

Test

The revised test is passing

Conclusion

LGTM

c4-judge commented 3 months ago

alex-ppg marked the issue as satisfactory