search

hats-finance / Tapioca--Lending-Engine--0x5bee198f5b060eecd86b299fdbea6b0c07c728dd

Other
0 stars 0 forks source link

users cannot be liquidated when `PauseType.Liquidation` is set to true #25

Open hats-bug-reporter[bot] opened 5 months ago

hats-bug-reporter[bot] commented 5 months ago

Github username: @Audinarey Twitter username: audinarey Submission hash (on-chain): 0x8f197744e0eca8348e4d96f04a891580ddebd01a1f43e3293f9fdafa8f0f2802 Severity: high

Description: Description\ The BBLiquidation::liquidate(...) and SGLBorrow::Liquidate(...) are functions that users call to liqudate positions that are currently greater than or equal to the collateralizationRate which is set in the sysytem as 80%. However these functions are protected by a optionNotPaused(...) modifier with a PauseType.Liquidation argument which ensures the functions cannot be called whenever PauseType.Liquidation= true


File: SGLLiquidation.sol

120:     function liquidate(
121:         address[] calldata users,
122:         uint256[] calldata maxBorrowParts,
123:         uint256[] calldata minLiquidationBonuses,
124:         IMarketLiquidatorReceiver[] calldata liquidatorReceivers,
125:         bytes[] calldata liquidatorReceiverDatas
126:  @>  ) external optionNotPaused(PauseType.Liquidation) {
127:         if (users.length == 0) revert NothingToLiquidate();
SNIP
...;
137: 
138:         _closedLiquidation(
139:             users, maxBorrowParts, minLiquidationBonuses, liquidatorReceivers, liquidatorReceiverDatas, exchangeRate
140:         );
141:     }
142. 

File: BBLiquidation.sol

119:     function liquidate(
120:         address[] calldata users,
121:         uint256[] calldata maxBorrowParts,
122:         uint256[] calldata minLiquidationBonuses,
123:         IMarketLiquidatorReceiver[] calldata liquidatorReceivers,
124:         bytes[] calldata liquidatorReceiverDatas
125:  @>  ) external optionNotPaused(PauseType.Liquidation) {
126:         if (users.length == 0) revert NothingToLiquidate();
SNIP
......
137: 
138:         _closedLiquidation(
139:             users, maxBorrowParts, minLiquidationBonuses, liquidatorReceivers, liquidatorReceiverDatas, exchangeRate
140:         );
141:     }

Attack Scenario\

Attachments

Revised Code File (Optional)

Modify the BBLiquidation::liquidate(...) and SGLBorrow::Liquidate(...)functions to ensure users are able to repay their loans as shown below


File: SGLLiquidation.sol

120:     function liquidate(
121:         address[] calldata users,
122:         uint256[] calldata maxBorrowParts,
123:         uint256[] calldata minLiquidationBonuses,
124:         IMarketLiquidatorReceiver[] calldata liquidatorReceivers,
125:         bytes[] calldata liquidatorReceiverDatas

126:    -    ) external optionNotPaused(PauseType.Liquidation) {

126:    +   ) external  {

127:         if (users.length == 0) revert NothingToLiquidate();
SNIP
...;
137: 
138:         _closedLiquidation(
139:             users, maxBorrowParts, minLiquidationBonuses, liquidatorReceivers, liquidatorReceiverDatas, exchangeRate
140:         );
141:     }
142. 

File: BBLiquidation.sol

119:     function liquidate(
120:         address[] calldata users,
121:         uint256[] calldata maxBorrowParts,
122:         uint256[] calldata minLiquidationBonuses,
123:         IMarketLiquidatorReceiver[] calldata liquidatorReceivers,
124:         bytes[] calldata liquidatorReceiverDatas

125:    -    ) external optionNotPaused(PauseType.Liquidation) {

125:    +   ) external  {

126:         if (users.length == 0) revert NothingToLiquidate();
SNIP
......
137: 
138:         _closedLiquidation(
139:             users, maxBorrowParts, minLiquidationBonuses, liquidatorReceivers, liquidatorReceiverDatas, exchangeRate
140:         );
141:     }