search

sherlock-audit / 2023-04-jojo-judging

7 stars 4 forks source link

0x52 - Liquidators can profit extra at the expense of those being liquidated #416

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

0x52

high

Liquidators can profit extra at the expense of those being liquidated

Summary

Liquidators are allowed to specify and sell up to the entire balance of the user's collateral even if it is more collateral than needed. They are required to pay the user the USDC value of the collateral as priced by an oracle. The issue with this is that onchain oracles are hardly ever exactly in line with the spot price. This allows liquidators to profit on this difference, stealing funds directly from the user being liquidated.

Vulnerability Detail

https://github.com/sherlock-audit/2023-04-jojo/blob/main/JUSDV1/src/Impl/JUSDBank.sol#L199-L204

    require(
        IERC20(primaryAsset).balanceOf(liquidated) -
            primaryLiquidatedAmount >=
            liquidateData.liquidatedRemainUSDC,
        JUSDErrors.LIQUIDATED_AMOUNT_NOT_ENOUGH
    );

When a user is liquidated for too much collateral, the liquidator is required to reimburse the user for the excess collateral that was taken.

https://github.com/sherlock-audit/2023-04-jojo/blob/main/JUSDV1/src/Impl/JUSDBank.sol#L436-L437

    liquidateData.liquidatedRemainUSDC = (amount -
        liquidateData.actualCollateral).decimalMul(price);

When calculating how much USDC to reimburse the user they simply multiply the extra by the current oracle price. This is where the issue happens. For most chainlink oracles (the main oracle utilized) the price is allowed to vary by sometimes up to 2%. This allows the liquidator to abuse any discrepancy in their favor to extract more value from the user. In scenarios where the users only need to liquidate a portion of their collateral, the liquidator would instead liquidate all their collateral and profit from the difference between the real value of the collateral and the chainlink price.

Impact

Liquidators can unfairly take more than they should

Code Snippet

https://github.com/sherlock-audit/2023-04-jojo/blob/main/JUSDV1/src/Impl/JUSDBank.sol#L379-L438

Tool used

Manual Review

Recommendation

Only allow the liquidator to take the collateral amount needed

jotaro-ora commented 1 year ago

I think your concern that the chainlink price is inaccurate. But in fact when collateral prices fall, the chainlink price tends to lag. That means the price of liquidating collateral will be better than the market price. In addition, when liquidation occurs, we have to prioritize ensuring that the system is free of bad debts over the interests of those being liquidated.