search

hats-finance / Tapioca--Lending-Engine--0x5bee198f5b060eecd86b299fdbea6b0c07c728dd

Other
0 stars 0 forks source link

Potential arbitrage opportunity if the price is not updated #28

Open hats-bug-reporter[bot] opened 5 months ago

hats-bug-reporter[bot] commented 5 months ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0x9e0752047390b6c474af4d3f74224a005c3b4f9de472a9aa9c48661bfe12b15e Severity: medium

Description: Description\ the function getLiquidationCollateralAmount get price for collateral amount used in a liquidation , but if updated if false or _exchangeRate if 0 it use stored rate , the attacker can use this as arbitrage opportunity by get sgl._exchangeRate()

Attack Scenario\

function getLiquidationCollateralAmount(
        address sglAddress,
        address user,
        uint256 maxBorrowPart,
        uint256 minLiquidationBonus,
        uint256 exchangeRatePrecision,
        uint256 feeDecimalsPrecision
    ) external view returns (uint256 collateralShare) {
        ISingularity sgl = ISingularity(sglAddress);

        (bool updated, uint256 _exchangeRate) = ITapiocaOracle(sgl._oracle()).peek(sgl._oracleData());
        //@audit Potential arbitrage opportunity if the price is not updated
        if (!updated || _exchangeRate == 0) {
            _exchangeRate = sgl._exchangeRate(); //use stored rate
        }
        if (_exchangeRate == 0) revert ExchangeRateNotValid();

        (uint128 totalBorrowElastic, uint128 totalBorrowBase) = sgl._totalBorrow();

        _ViewLiquidationStruct memory data;
        {
            data.user = user;
            data.maxBorrowPart = maxBorrowPart;
            data.minLiquidationBonus = minLiquidationBonus;
            data.exchangeRate = _exchangeRate;
            data.yieldBox = IYieldBox(sgl._yieldBox());
            data.collateralId = sgl._collateralId();
            data.userCollateralShare = sgl._userCollateralShare(user);
            data.userBorrowPart = sgl._userBorrowPart(user);
            data.totalBorrow = Rebase({elastic: totalBorrowElastic, base: totalBorrowBase});
            data.liquidationBonusAmount = IMarket(sglAddress)._liquidationBonusAmount();
            data.liquidationCollateralizationRate = sgl._liquidationCollateralizationRate();
            data.liquidationMultiplier = sgl._liquidationMultiplier();
            data.exchangeRatePrecision = exchangeRatePrecision;
            data.feeDecimalsPrecision = feeDecimalsPrecision;
        }

Attachments

  1. Proof of Concept (PoC) File

  2. Revised Code File (Optional)

MGF15 commented 5 months ago

forget to add my username