search

sherlock-audit / 2023-07-blueberry-judging

2 stars 1 forks source link

Oxhunter526 - Front-Running Risk in Liquidation after Repay Enablement #86

Closed sherlock-admin2 closed 1 year ago

sherlock-admin2 commented 1 year ago

Oxhunter526

medium

Front-Running Risk in Liquidation after Repay Enablement

Summary

The smart contract lacks a proper synchronization mechanism between the enablement of repayments and the initiation of liquidations. This opens up the possibility of front-running by liquidators, where they can trigger liquidations immediately after repayments are resumed, potentially causing borrowers to lose funds without a fair chance to repay their positions.

Vulnerability Detail

The liquidate() function allows positions to be liquidated when they are deemed liquidatable and certain conditions are met. However, there is a security concern arising from the way repayments and liquidations are controlled by a shared enable flag.

// Existing code in the liquidate() function
function liquidate(
    uint256 positionId,
    address debtToken,
    uint256 amountCall
) external override lock poke(debtToken) {
    // ... (existing checks and code)

    // Revert liquidation if the waiting period hasn't passed since repayments were resumed
    if (
        block.timestamp <
        repayResumedTimestamp + Constants.LIQUIDATION_WAIT_PERIOD
    ) revert Errors.LIQUIDATION_NOT_ALLOWED_YET();

    // ... (rest of the code)
}

The security concern stems from the fact that liquidations can be triggered immediately after repayments are resumed, without allowing borrowers a fair opportunity to repay their positions. This issue arises from the absence of a mechanism that prevents liquidations for a certain period after repayments are re-enabled.

Impact

The lack of synchronization between repayments and liquidations allows liquidators to front-run repayments, potentially causing significant financial losses for borrowers. This scenario can undermine the fairness of the protocol and lead to an advantage for automated liquidation tools over human users attempting to repay their positions.

Code Snippet

(https://github.com/sherlock-audit/2023-07-blueberry/blob/main/blueberry-core/contracts/BlueBerryBank.sol#L544-L621)

Tool used

Manual Review

Recommendation

A mechanism should be implemented that introduces a waiting period after repayments are resumed before liquidations can be triggered. This would allow borrowers a fair opportunity to repay their positions before liquidators can take advantage of the situation.

sherlock-admin2 commented 1 year ago

2 comment(s) were left on this issue during the judging contest.

shogoki commented:

there is Constants.LIQUIDATION_WAIT_PERIOD

0xyPhilic commented:

invalid because liquidations can't be triggered immediately as there is a cooldown period