search

sherlock-audit / 2023-02-surge-judging

4 stars 1 forks source link

gogo - Inefficient check in Pool.liquidate for repay amount #258

Closed github-actions[bot] closed 1 year ago

github-actions[bot] commented 1 year ago

gogo

medium

Inefficient check in Pool.liquidate for repay amount

Summary

Inefficient check in Pool.liquidate for repay amount.

Vulnerability Detail

It is expected that liquidators will either pass the user's debt amount as a repay amount or type(uint256).max in Pool.liquidate when they want to liquidate the whole position of a user. The else statement assumes that if the amount is neither one of the above values it is less than the user's debt and calculates the shares. After that the shares are subtracted from the debt shares balance of the user. This will cause an underflow in case the passed amount is higher than user's debt.

This can also open opportunities for griefing and front-running attacks by the borrower to prevent themselves from being liquidated.

Impact

Liquidaters can have their transaction reverted if the passed amount to repay is close to user's debt.

Code Snippet

    if(_amount == type(uint).max || _amount == userDebt) {

https://github.com/sherlock-audit/2023-02-surge/blob/main/surge-protocol-v1/src/Pool.sol#L580

Tool used

Manual Review

Recommendation

Modify the repay amount check in Pool.liquidate:

-   if(_amount == type(uint).max || _amount == userDebt) {
+   if(_amount >= userDebt) {

https://github.com/sherlock-audit/2023-02-surge/blob/main/surge-protocol-v1/src/Pool.sol#L580

nourharidy commented 1 year ago

The type(uint).max condition is added for this purpose