A an attacker stop the protocol from removing bad debt

Summary

an attacker can deposit to JUSD and there is no check if their address is safe, so they can add their collateral to the array and stop the protocol from removing their bad debt

Vulnerability Detail

an attacker can deposit funds even though they have bad debt and add collateral tokens to their array before the protocol removes their bad debt and it will cause the owner tx to revert. ex: at t0 .J(attacker) has a bad debt of 5 JUSD at t1 the protocol trying removing their bad debt alice front runs that tx and adds 1 JUSD to their account and adds a collateral to their array now when handleBadDebt is called it will revert.

Impact

bad debt that is not getting erased and dos for protocol

Code Snippet

This require will revert

  liquidatedTraderInfo.collateralList.length == 0 &&

when the attacker deposits there is no check if they are safe like withdraw has

require(reserve.isDepositAllowed, JUSDErrors.RESERVE_NOT_ALLOW_DEPOSIT);
        require(amount != 0, JUSDErrors.DEPOSIT_AMOUNT_IS_ZERO);
        IERC20(collateral).safeTransferFrom(from, address(this), amount);
        _addCollateralIfNotExists(user, collateral);
        user.depositBalance[collateral] += amount;
        reserve.totalDepositAmount += amount;

https://github.com/sherlock-audit/2023-04-jojo/blob/6090fef68932b5577abf6b5aa26eb1e579353c57/JUSDV1/src/Impl/JUSDBank.sol#L502

Tool used

Manual Review

Recommendation

add account safe function to deposit like withdraw

        require(
            _isAccountSafe(user, tRate),
            JUSDErrors.AFTER_WITHDRAW_ACCOUNT_IS_NOT_SAFE
        );

Duplicate of #318

sherlock-audit / 2023-04-jojo-judging

simon135 - A an attacker stop the protocol from removing bad debt #419