Many functions will fail because they runs out of gas if a user has entered many markets
Summary
If after borrowing a user enters many markets with a very small amount, the functions : _isLiquidatable(), _getAccountLiquidity() will run out of gas while calculating the Collateral value and debt value and looping over userEnteredMarkets[user]. This will result in the failure of all functions that call _isLiquidatable(), _getAccountLiquidity(), and this can be used by malicious user to prevent liquidation of his position.
Vulnerability Detail
The functions _isLiquidatable(), _getAccountLiquidity() loops over all user's entered markets userEnteredMarkets[user] to calculate the collateral and debt values.
If a malicous user after borrowing a certain amount from a market decides to enters all existing markets with a very small amount (for example 1 wei), this will lead the functions _isLiquidatable(), _getAccountLiquidity() to loop all the markets from the iron bank protocol and if at a given moment in time the number of markets become large (which is possible as they might be markets for a lot of tokens) the user will be able to make the functions _isLiquidatable(), _getAccountLiquidity() fail due to running out of gas.
When the function _isLiquidatable() reverts due to running out of gas it will automatically makes all the liquidation operations with the liquidate function fail and thus the user can never be liquidated, and after a while the user can decide to repay some of his debts to get back his collateral, this issue will cause problems for the protocol will not get back the borrowed funds or user's collaterals until the user decides to.
Note because the _getAccountLiquidity() function loops over userEnteredMarkets[user], it will also reverts in this case with will disable all the functions that rely on it : _checkAccountLiquidity(), redeem(), borrow(), deferLiquidityCheck(), transferIBToken()
To prevent this issue you should consider adding a minimum deposit amount when a user supply to a new market, in this way malicious users can not enter many markets with very small amounts.
Aymen0909
medium
Many functions will fail because they runs out of gas if a user has entered many markets
Summary
If after borrowing a user enters many markets with a very small amount, the functions :
_isLiquidatable(),_getAccountLiquidity()will run out of gas while calculating the Collateral value and debt value and looping overuserEnteredMarkets[user]. This will result in the failure of all functions that call_isLiquidatable(),_getAccountLiquidity(), and this can be used by malicious user to prevent liquidation of his position.Vulnerability Detail
The functions
_isLiquidatable(),_getAccountLiquidity()loops over all user's entered marketsuserEnteredMarkets[user]to calculate the collateral and debt values.If a malicous user after borrowing a certain amount from a market decides to enters all existing markets with a very small amount (for example 1 wei), this will lead the functions
_isLiquidatable(),_getAccountLiquidity()to loop all the markets from the iron bank protocol and if at a given moment in time the number of markets become large (which is possible as they might be markets for a lot of tokens) the user will be able to make the functions_isLiquidatable(),_getAccountLiquidity()fail due to running out of gas.When the function
_isLiquidatable()reverts due to running out of gas it will automatically makes all the liquidation operations with theliquidatefunction fail and thus the user can never be liquidated, and after a while the user can decide to repay some of his debts to get back his collateral, this issue will cause problems for the protocol will not get back the borrowed funds or user's collaterals until the user decides to.Note because the
_getAccountLiquidity()function loops overuserEnteredMarkets[user], it will also reverts in this case with will disable all the functions that rely on it :_checkAccountLiquidity(),redeem(),borrow(),deferLiquidityCheck(),transferIBToken()Impact
See summary.
Code Snippet
https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/protocol/pool/IronBank.sol#L1032-L1058
https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/protocol/pool/IronBank.sol#L1065-L1092
Tool used
Manual Review
Recommendation
To prevent this issue you should consider adding a minimum deposit amount when a user supply to a new market, in this way malicious users can not enter many markets with very small amounts.