Closed sherlock-admin closed 11 months ago
This is absolutely true and the beauty of our algorithm.)) The borrower will only have to pay 1 wei of margin deposit. https://github.com/sherlock-audit/2023-10-real-wagmi/blob/b33752757fd6a9f404b8577c1eae6c5774b3a0db/wagmi-leverage/contracts/abstract/LiquidityManager.sol#L136
seeques
high
Borrowers that borrow from certain positions can get leverage without paying collateral due to inaccurate borrowingCollateral calculations
Summary
During borrowing, a borrower has to pay some collateral in holdToken plus deposit for holding a position for 24 hours. However, if the uniswap position is above the current tick for token0 (or below it for token1) the borrower would pay 0
borrowingCollateral
.Vulnerability Detail
The vulnerable line in question:
cache.borrowedAmount
is the amount of token0 or token1 calculated in_getSingleSideRoundUpBorrowedAmount()
function based on the provided liquidity andzeroForSaleTokenFlag
. After that calculation, the liquidity is pulled from the uniswap position in call to_decreasePostion()
and is sent to theLiquidityBorrowingManager
contract. Then, theborrow()
function continues to check how many borrowTokens and saleTokens were transferred from the position by checking contract's balancesAnd if
saleTokenBalance > 0
, the saleToken is swapped through the external swap function or through uniswap. The amount swapped is then added tocache.holdTokenBalance
.Now, suppose there are no saleTokens that were pulled from LP (meaning that the position is above the current tick if the borrowToken is token0). It means that
cache.holdTokenBalance == cache.borrowedAmount
and theborrowingCollateral == 0
. Since it is the amount the borrower should pay if he decides to borrow, he can receive almost free leverage (he only needs to pay the liquidationBonus and the deposit for holding a position for 24 hours).Impact
Getting an almost collateral-free leverage is in contradiction with what expected by the team and breaks the whole point of leverage trading.
Code Snippet
https://github.com/sherlock-audit/2023-10-real-wagmi/blob/main/wagmi-leverage/contracts/LiquidityBorrowingManager.sol#L492 https://github.com/sherlock-audit/2023-10-real-wagmi/blob/main/wagmi-leverage/contracts/LiquidityBorrowingManager.sol#L848-L853 https://github.com/sherlock-audit/2023-10-real-wagmi/blob/main/wagmi-leverage/contracts/abstract/LiquidityManager.sol#L201-L209 https://github.com/sherlock-audit/2023-10-real-wagmi/blob/main/wagmi-leverage/contracts/abstract/LiquidityManager.sol#L116 https://github.com/sherlock-audit/2023-10-real-wagmi/blob/main/wagmi-leverage/contracts/abstract/LiquidityManager.sol#L349 https://github.com/sherlock-audit/2023-10-real-wagmi/blob/main/wagmi-leverage/contracts/LiquidityBorrowingManager.sol#L869-L896
Tool used
Manual Review
Recommendation
If the
borrowingCollateral
turns out to be 0, ensure that some minimum amount of collateral is paid by the borrower. It can be a percent of theborrowedAmount
.