The liquidation fee calculation is vulnerable to manipulation by the token contract reporting false balances
Summary
The liquidation fee calculation relies on the token contract's balanceOf() function to get the token balance, which could potentially be manipulated.
Vulnerability Detail
The _liquidationFee function calculates the liquidation fee based on the latest position and risk parameters. It then caps the fee at the total reported balance of the token contract by calling token.balanceOf().
This allows the token contract to manipulate the fee calculation by reporting a false low balance. For example, if the actual balance is 1000 tokens, but token.balanceOf() reports 100 tokens, then the fee will be capped at a lower amount.
This could benefit an attacker by:
• Allowing them to get liquidated with a lower fee, reducing their losses
• Preventing honest accounts from being fully liquidated due to the lower fee cap
• Manipulating fees accrued by the protocol
To prove this vulnerability, an attacker would need to deploy a malicious ERC20 token contract that reports false balances.
Impact
A malicious token could report a falsely high balance via balanceOf(), which would artificially limit the liquidation fee calculated.
feelereth
high
The liquidation fee calculation is vulnerable to manipulation by the token contract reporting false balances
Summary
The liquidation fee calculation relies on the token contract's balanceOf() function to get the token balance, which could potentially be manipulated.
Vulnerability Detail
The _liquidationFee function calculates the liquidation fee based on the latest position and risk parameters. It then caps the fee at the total reported balance of the token contract by calling token.balanceOf(). This allows the token contract to manipulate the fee calculation by reporting a false low balance. For example, if the actual balance is 1000 tokens, but token.balanceOf() reports 100 tokens, then the fee will be capped at a lower amount. This could benefit an attacker by: • Allowing them to get liquidated with a lower fee, reducing their losses • Preventing honest accounts from being fully liquidated due to the lower fee cap • Manipulating fees accrued by the protocol To prove this vulnerability, an attacker would need to deploy a malicious ERC20 token contract that reports false balances.
Impact
A malicious token could report a falsely high balance via balanceOf(), which would artificially limit the liquidation fee calculated.
Code Snippet
https://github.com/sherlock-audit/2023-07-perennial/blob/main/perennial-v2/packages/perennial/contracts/Market.sol#L565-L569
Tool used
Manual Review
Recommendation
The market contract should maintain its own balance of the token based on deposits and withdrawals instead of relying on token.balanceOf().