sherlock-admin2
commented
1 year ago 1 comment(s) were left on this issue during the judging contest.
MohammedRizwan commented:
valid
Closed sherlock-admin2 closed 1 year ago
sherlock-admin2
commented
1 year ago 1 comment(s) were left on this issue during the judging contest.
MohammedRizwan commented:
valid
mstpr-brainbot
high
Liquidations can make debt stuck in the Lenders
Summary
During liquidation, the borrower's stored balance is used. If there's been a significant period where the interest hasn't been updated, the liquidator might only address the stored amount, excluding the accumulated interest.
Vulnerability Detail
Suppose Alice is eligible for liquidation and her recorded liabilities are 100 of token0 and none of token1. However, these are the "stored" values for Alice. Her actual balance becomes 101 once the latest interest accrues.
Now, Bob, the liquidator, steps in to liquidate Alice. But he doesn't account for the latest interest in the pool, so the maximum repay amount is capped at 100 instead of the actual 101, as seen here: https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/Borrower.sol#L231-L232
After a successful liquidation, only 100 tokens will be repaid to the lender, meaning 1 token is missing. The pool assumes that this amount will be repaid eventually. However, this single token is still treated as an outstanding loan by the lender, who anticipates its eventual repayment by Alice, continuing to accrue interest on it. Yet neither Alice nor anyone else is obligated to repay this amount since Alice has already been liquidated. As a result, there's no incentive for anyone to repay this excess amount to the lender. Even though such small discrepancies might seem trivial, they compromise the integrity of the accounting logic. Considering that this scenario could recur across multiple users and the repaid amounts continue accruing interest, the accounting discrepancies could escalate into significant issues.
Impact
Since liquidators are limited to repaying only the stored balance and aren't required to update the pool's latest interest, this can lead to discrepancies in the lender's records. Consequently, some debt may remain indefinitely and will continue accruing interest. Therefore, I classify this as high.
Code Snippet
https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/Ledger.sol#L225-L232 https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/Borrower.sol#L527-L530 https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/Borrower.sol#L231-L232
Tool used
Manual Review
Recommendation
Use borrowBalance inside the lender not the stored balance such that the liquidators are forced to repay the entire amount regardless of that's incentivized or not
Duplicate of #41