search

sherlock-audit / 2023-12-arcadia-judging

19 stars 15 forks source link

iberry - startLiquidation() is external function in LendingPool.sol don't limit access #157

Closed sherlock-admin2 closed 9 months ago

sherlock-admin2 commented 9 months ago

iberry

high

startLiquidation() is external function in LendingPool.sol don't limit access

Summary

This function startLiquidation in the LendingPool.sol contract is accessible externally, meaning it can be called from outside the contract by other contracts or externally owned accounts.

Vulnerability Detail

The vulnerability arises from the fact that multiple calls to startLiquidation may trigger the reward mechanism multiple times without proper checks to prevent excessive rewards being given to the caller (msg.sender).

Impact

If multiple calls to startLiquidation can result in an unintended increase in rewards for the msg.sender and enlarge totalRealisedLiquidity to reduce ‘interestRate’ finally

Code Snippet

https://github.com/sherlock-audit/2023-12-arcadia/blob/main/lending-v2/src/LendingPool.sol#L861-L901

Tool used

Manual Review

Recommendation

Change external function startLiquidation() to internal function or limit access

Duplicate of #15

sherlock-admin2 commented 9 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid: only account with debt can call the function