sherlock-audit / 2023-05-ironbank-judging

2 stars 2 forks source link

mert_eren - Liqudiate healthy account #311

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

mert_eren

high

Liqudiate healthy account

Summary

In this protocol users can lend and borrow multiple tokens in single contract and their liqudity ratio calculated in same contract. Also their tokens interest calculated by accrueInterest(asset) for single asset. Because of that, there is chance for if an user lend more than one asset and borrow one, a liqudiator can liquidate user for one colleteral and one borrow asset. Even though with other lend tokens collecting of other lend token's interest become his account to unliquadatable, liquadate function just accrue one lend token and protocol misused for borrower.

Vulnerability Detail

poc steps are 1)Borrower lend two token and borrow one token. 2) After some time, liqudator use liqudate function for just one lend token and borrowed token. 3)Due to just one of lending token's new value calculated and his account's liqudity calculated low than supposed to be, liqudator liqudate a borrower who he shouldn't.

Impact

Healthy accounts can be liqudatable.

Code Snippet

https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/protocol/pool/IronBank.sol#L1065-L1092 https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/protocol/pool/IronBank.sol#L495-L496

Tool used

Manual Review

Recommendation

Can be thinking about use accrue interest for all users assets before calculate liqudity.