search

hats-finance / Wise-Lending-0xa2ca45d6e249641e595d50d1d9c69c9e3cd22573

0 stars 1 forks source link

Protocol risks insolvency due to faulty liquidation logic #4

Open hats-bug-reporter[bot] opened 7 months ago

hats-bug-reporter[bot] commented 7 months ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0x1ed4185e36a0ef93e6dd3bcafe1ebc1ab96a223dfa157659da372d107621158e Severity: high

Description: Description\

When the sequencer goes down the price-feed is not updated, Wise has correctly implemented logic to revert when the sequencer is down in latestResolver() 


        if (chainLinkIsDead(_tokenAddress) == true) { 
            revert OracleIsDead();
        }

this will revert based on the following code


    function sequencerIsDead()
        public
        view
        returns (bool)
    {
        if (IS_ARBITRUM_CHAIN == false) {
            return false;
        }

        (
            ,
            int256 answer,
            uint256 startedAt,
            ,
        ) = SEQUENCER.latestRoundData();

        if (answer == 1) {
            return true;
        }

        uint256 timeSinceUp = block.timestamp
            - startedAt;

        if (timeSinceUp <= GRACE_PEROID) { 
            return true;
        }

        return false;
    }

We can see that a grace period is used to revert for a duration after the sequencer has come back up.

The issue is that this liquidation is completely blocked during this period even if the position has become heavily undercollateralized. The protocol could be rendered insolvent during this period since liquidation is completely blocked.

The desired logic here would be similar to how other lending protocol deal with a sequencer outage. We can see below that AAVE v3 allows liquidations if a HF < 0.95 even during a grace period. This is to protect against insolvency risk.

AAVEV3 logic

 require(
      params.priceOracleSentinel == address(0) ||
        params.healthFactor < MINIMUM_HEALTH_FACTOR_LIQUIDATION_THRESHOLD ||
        IPriceOracleSentinel(params.priceOracleSentinel).isLiquidationAllowed(),
      Errors.PRICE_ORACLE_SENTINEL_CHECK_FAILED
    );

Mitigation\

Use similar logic as AAVE V3 and check if a position is heavily undercollaterlized during the grace period, if this is the case allow liquidations to protect the protocol from bad debt and potential insolvency.

vonMangoldt commented 7 months ago

This is a design choice quesiton and therfore considered invalid.

In your scenario the problem is that you make the assumption that when the sequencer is back chainlink will synchronize the updates to all relevant oracles in the same block which we believe to be extremly unlikely. This can potentially result in extracting value from the protocol especially for sharp changes during a short sequencer outage since the heartbeat checks would still allow the difference. We believe it to be much more likely that chainlink updates will be asynchronize and give it a grace period so that users dont get liquidated unnecessarly. It is therfor a design question of what your baseian priors are and therfor dismissed