search

sherlock-audit / 2023-12-arcadia-judging

19 stars 15 forks source link

Topmark - Liquidator can unfairly liquidate a users asset #188

Closed sherlock-admin closed 9 months ago

sherlock-admin commented 9 months ago

Topmark

medium

Liquidator can unfairly liquidate a users asset

Summary

Liquidator can unfairly liquidate a users asset even when it should not be liquidatable in the AccountV1 contract

Vulnerability Detail

function auctionBid(
        address[] memory assetAddresses,
        uint256[] memory assetIds,
        uint256[] memory assetAmounts,
        address bidder
    ) external onlyLiquidator nonReentrant {
        _withdraw(assetAddresses, assetIds, assetAmounts, bidder);
    }

The code above shows how Liquidator handles withdrawal through the auctionBid function, the problem is that Liquidator can unfairly liquidate a user due to absence of necessary validations examples of which can be seen in how withdrawal was handled at L896 of the same contract

Impact

Liquidator can unfairly liquidate a users asset even when it should not be liquidatable in the AccountV1 contract

Code Snippet

https://github.com/sherlock-audit/2023-12-arcadia/blob/main/accounts-v2/src/accounts/AccountV1.sol#L561

Tool used

Manual Review

Recommendation

Protocol should ensure necessary validations to prevent liquidator from unfairly liquidating a User without necessary validation has been done

sherlock-admin2 commented 9 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid

nevillehuang commented 9 months ago

Invalid, auctionBid() can only be called via Liquidator.sol here, where in the account must have been insolvent before a liquidation was allowed to start as seen by this check here