IronBank: _getAccountLiquidity() & _isLiquidatable() might run out of gas due to for loop
Summary
Both_getAccountLiquidity() & _isLiquidatable() iterate through all of the userEnteredMarkets. Both of these functions have gas intensive operations such as state updates, and calls to the chainlink price oracle. If a user adds too many markets, these two functions, which are critical in borrowing, redeeming, and liquidating, may cause out of gas errors.
A malicious user can use this to their advantage by adding markets, taking out large loans and not have the chance of being liquidated because when isLiquidatable() checks an account's collateralization, it will run out of gas.
Liquidations may not be possible because when calculating if a user is under-collateralized, because the for loop in isLiquidatable() will run out of gas.
Schpiel
medium
IronBank: _getAccountLiquidity() & _isLiquidatable() might run out of gas due to for loop
Summary
Both
_getAccountLiquidity()&_isLiquidatable()iterate through all of theuserEnteredMarkets. Both of these functions have gas intensive operations such as state updates, and calls to the chainlink price oracle. If a user adds too many markets, these two functions, which are critical in borrowing, redeeming, and liquidating, may cause out of gas errors.A malicious user can use this to their advantage by adding markets, taking out large loans and not have the chance of being liquidated because when
isLiquidatable()checks an account's collateralization, it will run out of gas.For more information check out: https://github.com/wissalHaji/solidity-coding-advices/blob/master/best-practices/be-careful-with-loops.md
Vulnerability Detail
See summary
Impact
Liquidations may not be possible because when calculating if a user is under-collateralized, because the for loop in
isLiquidatable()will run out of gas.Code Snippet
https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/protocol/pool/IronBank.sol#L1070 https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/protocol/pool/IronBank.sol#L1037
Tool used
Manual Review
Recommendation
Consider limiting the amount of markets a user can enter at one time.