search

sherlock-audit / 2023-01-ajna-judging

1 stars 0 forks source link

Jeiwan - Loan can be "taken" after it became collateralized as a result of a recovered LUP #144

Closed github-actions[bot] closed 1 year ago

github-actions[bot] commented 1 year ago

Jeiwan

high

Loan can be "taken" after it became collateralized as a result of a recovered LUP

Summary

A loan can be liquidated ("taken") if it's collateralized as per the current LUP. This happens because LUP may recover after the loan was kicked, but there's no check in take function for whether the loan is collateralized again.

Vulnerability Detail

As per the whitepaper:

If the loan becomes fully collateralized again because of paying down debt (either due to purchases in the auction, or the borrower repaying debt), pledges of additional capital, or the LUP moving up above the loan’s TP, the loan is removed from liquidation.

Thus, it's expected that, after LUP has moved above the loan's TP, the liquidation of the loan should be cancelled, the collateral should be returned to its owner, and the 90-day interest penalty to be subtracted from borrower's total debt. However, this doesn't happen.

The liquidation process is implemented in two stages:

  1. Liquidation is started by kicking a loan position. Kicking is only possible when the position is undercollaterlaized, i.e. the value of the collateral at the current LUP is less than the debt.
  2. Liquidation is finalized by taking the liquidated position. However, there's no check for whether the position is collateralized or not during taking.

The gap between "kicking" and "taking" may take up to 3 days, during which the LUP may increase and bring the position being liquidated above the liquidation threshold.

Impact

Borrower's collateral may be falsely liquidated while its value being above borrower's debt, causing loss of funds to borrowers. The damage may be higher in ERC721 pools where collateral has a high price.

Code Snippet

Auctions.sol#L538

Tool used

Manual Review

Recommendation

Consider disallowing liquidations of collateralized positions and allowing borrowers to cancel liquidations and return their collateral.

grandizzy commented 1 year ago

this is implemented as intented, otherwise the taker will pay fees for settling an auction but without getting anything in change. if someone repays debt or pledge more collateral they will be removed from the auction, if LUP moves then the borrower won't be removed from auctions. Will update the whitepaper to remove or the LUP moving up above the loan’s TP part

hrishibhat commented 1 year ago

Considering this issue as a low, as the Sponsor the code is working as intended and whitepaper will be updated as per implementation.