In this protocol users can lend and borrow multiple tokens in single contract and their liqudity ratio calculated in same contract. Also their tokens interest calculated by accrueInterest(asset) for single asset. Because of that, there is chance for if an user lend more than one asset and borrow one, a liqudiator can liquidate user for one colleteral and one borrow asset. Even though with other lend tokens collecting of other lend token's interest become his account to unliquadatable, liquadate function just accrue one lend token and protocol misused for borrower.
Vulnerability Detail
poc steps are
1)Borrower lend two token and borrow one token.
2) After some time, liqudator use liqudate function for just one lend token and borrowed token.
3)Due to just one of lending token's new value calculated and his account's liqudity calculated low than supposed to be, liqudator liqudate a borrower who he shouldn't.
mert_eren
high
Liqudiate healthy account
Summary
In this protocol users can lend and borrow multiple tokens in single contract and their liqudity ratio calculated in same contract. Also their tokens interest calculated by accrueInterest(asset) for single asset. Because of that, there is chance for if an user lend more than one asset and borrow one, a liqudiator can liquidate user for one colleteral and one borrow asset. Even though with other lend tokens collecting of other lend token's interest become his account to unliquadatable, liquadate function just accrue one lend token and protocol misused for borrower.
Vulnerability Detail
poc steps are 1)Borrower lend two token and borrow one token. 2) After some time, liqudator use liqudate function for just one lend token and borrowed token. 3)Due to just one of lending token's new value calculated and his account's liqudity calculated low than supposed to be, liqudator liqudate a borrower who he shouldn't.
Impact
Healthy accounts can be liqudatable.
Code Snippet
https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/protocol/pool/IronBank.sol#L1065-L1092 https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/protocol/pool/IronBank.sol#L495-L496
Tool used
Manual Review
Recommendation
Can be thinking about use accrue interest for all users assets before calculate liqudity.