search

sherlock-audit / 2023-05-ironbank-judging

2 stars 2 forks source link

Delvir0 - An user can use an attack contract to block being liquidated. #397

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

Delvir0

high

An user can use an attack contract to block being liquidated.

Summary

The attack is similar to my previous issue but has a different attack vector. Where that issues explains how to drain the pool, this explains how to skip being liquidated. While fixing the possibility to drain the pool, this issue can be left open which includes using transferIbTokens() .

Vulnerability Detail

  1. Supply() collateral 100, borrow() 80
  2. Call deferLiquidityCheck(), status is now DEFFERED. At external call, send all ibTokens to someone else (transferIbTokens)
  3. transferIbTokens checks _checkAccountLiquidity but skips since status = LIQUIDITY_CHECK_DEFERRED
  4. ibTokens are transfered
  5. deferLiquidityCheck() continues and sets status to NORMAL
  6. When calling liquidate, the whole flow includes transferring the ibTokens from the borrower to the liquidater https://github.com/sherlock-audit/2023-05-ironbank/blob/9ebf1702b2163b55479624794ab7999392367d2a/ib-v2/src/protocol/pool/IronBank.sol#L865
  7. Requirement at line 873 will fail since ibTokens have been transferred, reverting the whole function https://github.com/sherlock-audit/2023-05-ironbank/blob/9ebf1702b2163b55479624794ab7999392367d2a/ib-v2/src/protocol/pool/IronBank.sol#L865

    Impact

    A user can block himself from being liquidated

    Code Snippet

    See above

    Tool used

Manual Review

Recommendation

Consider sending the collateral instead of the ibTokens to the liquidater