The total lent amount of a bank is not decremented when a position is liquidated
Summary
When a position is (partially) liquidated, and the debt is repaid, the Bank.totalLend variable is not decremented. This can lead to inaccuracies in the total amount of funds lent out by the bank. Over time, the more positions are liquidated, the more the Bank.totalLend variable will be off.
Vulnerability Detail
The Bank.totalLend variable in the BlueBerryBank contract tracks the total amount of funds lent out by a given ERC-20 token bank. This value is adjusted whenever funds are lent out or withdrawn. However, when a position is (partially) liquidated, the debt is repaid, but the totalLend variable is not decremented.
While the position to be liquidated has its debt repaid and the Position.collateralSize, Position.underlyingAmount and Position.underlyingVaultShare variables decremented, Bank.totalLend remains unchanged and is therefore stale.
Impact
The value of bank.totalLend is stale and does not accurately reflect the actual amount of tokens lent to the bank. This could lead to issues later in the future if the BlueBerryBank contract gets upgraded and needs to rely on the correct value of bank.totalLend.
berndartmueller
medium
The total lent amount of a bank is not decremented when a position is liquidated
Summary
When a position is (partially) liquidated, and the debt is repaid, the
Bank.totalLend
variable is not decremented. This can lead to inaccuracies in the total amount of funds lent out by the bank. Over time, the more positions are liquidated, the more theBank.totalLend
variable will be off.Vulnerability Detail
The
Bank.totalLend
variable in theBlueBerryBank
contract tracks the total amount of funds lent out by a given ERC-20 token bank. This value is adjusted whenever funds are lent out or withdrawn. However, when a position is (partially) liquidated, the debt is repaid, but thetotalLend
variable is not decremented.While the position to be liquidated has its debt repaid and the
Position.collateralSize
,Position.underlyingAmount
andPosition.underlyingVaultShare
variables decremented,Bank.totalLend
remains unchanged and is therefore stale.Impact
The value of
bank.totalLend
is stale and does not accurately reflect the actual amount of tokens lent to the bank. This could lead to issues later in the future if theBlueBerryBank
contract gets upgraded and needs to rely on the correct value ofbank.totalLend
.Code Snippet
BlueBerryBank.sol#L534
Tool used
Manual Review
Recommendation
Consider deducting
uTokenSize
frombank.totalLend
in theBlueBerryBank.liquidate
function to prevent stale values.Duplicate of #155