search

sherlock-audit / 2023-10-aloe-judging

9 stars 6 forks source link

0x007 - There's no remedy for when liquidator manipulates price #111

Closed sherlock-admin2 closed 1 year ago

sherlock-admin2 commented 1 year ago

0x007

high

There's no remedy for when liquidator manipulates price

Summary

Borrower checks price manipulation when the owner wants to modify the position. However, there's no check on liquidate and this could lead to undesired situations.

Vulnerability Detail

In modify, there are 2 checks on price manipulation. It checks if the price seemsLegit and whether the pool has been paused in factory.

require(
    seemsLegit && (block.timestamp > pausedUntilTime) && (address(this).balance >= ante),
    "Aloe: missing ante / sus price"
);

This is to protect lenders from price manipulation by the borrower. However, an attacker could manipulate price so that multiple Borrower contracts become unHealthy. When such happens, the liquidation would be successful and borrowers can't do anything to protect themselves. If borrowers notice this aggression, they can't modify their position and if they pause the pool, it won't affect liquidations.

This is because liquidate does not check if price is legit or whether the pool has been paused.

Impact

Attacker can manipulate price to make multiple Borrowers unHealthy and liquidate them.

Code Snippet

https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/Borrower.sol#L319C13-L322C15 https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/Borrower.sol#L206

Tool used

Manual Review

Recommendation

Consider checking whether price is legit or pool has been paused before liquidating.

Duplicate of #72

sherlock-admin2 commented 1 year ago

2 comment(s) were left on this issue during the judging contest.

panprog commented:

medium, dup of #15

MohammedRizwan commented:

low severity seems intended design