search

code-423n4 / 2024-09-panoptic-findings

1 stars 0 forks source link

PanopticPool liquidation should use BP_DECREASE_BUFFER to detect solvency for liquidator #4

Closed c4-bot-10 closed 2 weeks ago

c4-bot-10 commented 2 weeks ago

Lines of code

https://github.com/code-423n4/2024-09-panoptic/blob/main/contracts/PanopticPool.sol#L1061

Vulnerability details

Impact

Liquidator solvency status may fall below BP_DECREASE_BUFFER due to decrease of buying power while performing liquidation.

Bug Description

After performing liquidation, since liquidator's buying power may decrease, the solvency status should be checked against BP_DECREASE_BUFFER rather than NO_BUFFER.

This issue was introduced in the latest diff.

    /// @notice Multiplier in basis points for the collateral requirement in the event of a buying power decrease, such as minting or force exercising another user.
@>  uint256 internal constant BP_DECREASE_BUFFER = 13_333;

    /// @notice Multiplier for the collateral requirement in the general case.
    uint256 internal constant NO_BUFFER = 10_000;

    function liquidate(
        TokenId[] calldata positionIdListLiquidator,
        address liquidatee,
        TokenId[] calldata positionIdList
    ) external {
        ...
        // ensure the liquidator is still solvent after the liquidation
@>      _validateSolvency(msg.sender, positionIdListLiquidator, NO_BUFFER);

        emit AccountLiquidated(msg.sender, liquidatee, bonusAmounts);
    }

Proof of Concept

N/A

Tools Used

Manual Review

Recommended Mitigation Steps

Use BP_DECREASE_BUFFER instead of NO_BUFFER.

Assessed type

Invalid Validation

dyedm1 commented 2 weeks ago

After performing liquidation, since liquidator's buying power may decrease

It is now impossible for the liquidator's buying power to decrease as a direct result of the liquidation bonus because negative bonus amounts are settled directly in the underlying token. It may decrease as a second-order effect due to protocol loss, but not more than if the liquidation had been performed from another account.

This check could probably be removed entirely -- it doesn't prevent any specific attacks and is just there because of historical bias.

c4-judge commented 2 weeks ago

Picodes marked the issue as unsatisfactory: Invalid