rvierdiiev - bad debt is not socialized

[sherlock-admin]

rvierdiiev

medium

bad debt is not socialized

Summary

Because bad debt is not socialized, last lenders will take all of them.

Vulnerability Detail

In case if borrower position is unhealthy, then he can be liquidated. Protocol tries to predict when this will happen and do liquidations before bad debt has occured(position is insolvent). However it is still possible that prices will change very quickly in such way that bad debt will occur.

In this case only part of debt will be repaid to lenders. Let's check what that means.

When user calls redeem, then _convertToAssets is called to calculate amount that user can receive for his shares. It uses inventory and totalSupply to calculate it. Inventory is balance of contract + all borrowed amount + fees. So contract expects that all borrowed amount + fees will be repaid.

So in case if bad debt occurs it means that part of borrowed amount and fees will not be received back by Lender contract, however contract still calculates assets using outdated data.

As result this bad debt will create contract insolvency, which means that contract will not have enough balance to pay last redeemers.

Impact

Bad debt is not distributed among all lenders

Code Snippet

Provided above

Tool used

Manual Review

Recommendation

You should track when position is closed with bad debt and then notify Lender contract that borrower will not be able to return part of funds. This shoud decrease borrowed amount, which will decrease share price and thus distribute that debt among all lenders.

Duplicate of #32

[sherlock-admin2]

2 comment(s) were left on this issue during the judging contest.

panprog commented:

valid medium, dup of #32

MohammedRizwan commented:

seems intended design

[haydenshively]

Fixed in https://github.com/aloelabs/aloe-ii/pull/223

[roguereddwarf]

Mitigation Review:

See parent issue #32.