The implementation of BlueBerryBank.liquidate() is wrong in a few cases, which could lead to the liquidator getting all collaterals and underlying token shares by paying only one debt token.
Vulnerability Detail
Note that when a position is liquidatable, anybody can call BlueBerryBank.liquidate() and get some collaterals and underlying token shares stored in a vault after paying some debt. The liquidator pays only one debt token at a time.
If the liquidator pays full debt of a debtToken, the share will be same as oldShare.
Let us get back to BlueBerryBank.liquidate(). If share = oldShare,liqSize = pos.collateralSize, and all of collateral amounts will be sent to the liquidator. And pos.collateralSize will be 0, and similar things happen to uVaultShare.
The liquidator paid only one debt, but he will get all of collateral and underlying shares stored in vault. The collateral and underlying supports all debt tokens, not only one debt token, so this implementation is not correct.
Impact
The liquidator gets more than he should get, so it will cause fund loss of the protocol.
Bauchibred
high
Liquidation logic is still not completely correct
Summary
The implementation of
BlueBerryBank.liquidate()
is wrong in a few cases, which could lead to the liquidator getting all collaterals and underlying token shares by paying only one debt token.Vulnerability Detail
Note that when a position is liquidatable, anybody can call
BlueBerryBank.liquidate()
and get some collaterals and underlying token shares stored in a vault after paying some debt. The liquidator pays only one debt token at a time.If the liquidator pays full debt of a debtToken, the share will be same as oldShare.
Because when the liquidator pays oldDebt in
_repay()
,lessShare
will be same asoldShare
.Let us get back to
BlueBerryBank.liquidate()
. Ifshare = oldShare,
liqSize = pos.collateralSize
, and all of collateral amounts will be sent to the liquidator. And pos.collateralSize will be 0, and similar things happen to uVaultShare.The liquidator paid only one debt, but he will get all of collateral and underlying shares stored in vault. The collateral and underlying supports all debt tokens, not only one debt token, so this implementation is not correct.
Impact
The liquidator gets more than he should get, so it will cause fund loss of the protocol.
Code Snippet
https://github.com/sherlock-audit/2023-04-blueberry/blob/96eb1829571dc46e1a387985bd56989702c5e1dc/blueberry-core/contracts/BlueBerryBank.sol#L731-L759
https://github.com/sherlock-audit/2023-04-blueberry/blob/96eb1829571dc46e1a387985bd56989702c5e1dc/blueberry-core/contracts/BlueBerryBank.sol#L483-L548
Tool used
Manual Review
Recommendation
Use something like:
instead of:
And same things to uVaultShare.