feelereth - The liquidation fee calculation is vulnerable to manipulation by the token contract reporting false balances

[sherlock-admin]

feelereth

high

The liquidation fee calculation is vulnerable to manipulation by the token contract reporting false balances

Summary

The liquidation fee calculation relies on the token contract's balanceOf() function to get the token balance, which could potentially be manipulated.

Vulnerability Detail

The _liquidationFee function calculates the liquidation fee based on the latest position and risk parameters. It then caps the fee at the total reported balance of the token contract by calling token.balanceOf(). This allows the token contract to manipulate the fee calculation by reporting a false low balance. For example, if the actual balance is 1000 tokens, but token.balanceOf() reports 100 tokens, then the fee will be capped at a lower amount. This could benefit an attacker by: • Allowing them to get liquidated with a lower fee, reducing their losses • Preventing honest accounts from being fully liquidated due to the lower fee cap • Manipulating fees accrued by the protocol To prove this vulnerability, an attacker would need to deploy a malicious ERC20 token contract that reports false balances.

Impact

A malicious token could report a falsely high balance via balanceOf(), which would artificially limit the liquidation fee calculated.

Code Snippet

https://github.com/sherlock-audit/2023-07-perennial/blob/main/perennial-v2/packages/perennial/contracts/Market.sol#L565-L569

Tool used

Manual Review

Recommendation

The market contract should maintain its own balance of the token based on deposits and withdrawals instead of relying on token.balanceOf().

[sherlock-admin]

2 comment(s) were left on this issue during the judging contest.

141345 commented:

d

panprog commented:

invalid because collateral is set by trusted party, so collateral can't be malicious