search

sherlock-audit / 2023-12-jojo-exchange-update-judging

10 stars 6 forks source link

lil.eth - Users can still avoid to be liquidated #78

Closed sherlock-admin closed 9 months ago

sherlock-admin commented 10 months ago

lil.eth

high

Users can still avoid to be liquidated

Summary

in cases where liquidateData.liquidatedRemainUSDC != 0 the user can still avoid being liquidated even if this finding has been highlighted in the last contest, sponsor didn't changed how

Vulnerability Detail

Since the liquidate function has a requirement that checks if the remaining USDC has been transferred to the user who is being liquidated, this user can exploit this and cause them to be added to the USDC blacklist to avoid being liquidated.

function liquidate(...)
{
        // ... CODE ... //
        _afterLiquidateOperation(afterOperationParam, amount, collateral, liquidated, liquidateData);

        require(
            JUSDBorrowedT0 - userInfo[liquidated].t0BorrowBalance >= liquidateData.actualLiquidatedT0,
            Errors.REPAY_AMOUNT_NOT_ENOUGH
        );
        require(
            IERC20(primaryAsset).balanceOf(insurance) - primaryInsuranceAmount >= liquidateData.insuranceFee,
            Errors.INSURANCE_AMOUNT_NOT_ENOUGH
        );
        require(
            IERC20(primaryAsset).balanceOf(address(this)) - primaryLiquidatedAmount
                >= liquidateData.liquidatedRemainUSDC,
            Errors.LIQUIDATED_AMOUNT_NOT_ENOUGH
        );
        IERC20(primaryAsset).safeTransfer(liquidated, liquidateData.liquidatedRemainUSDC);
        // ... CODE ... //
}

Impact

The liquidation process might DoS due to its reliance on paying back remaining tokens in USDC only. This will error where transferring USDC tokens to blacklisted users can cause the transaction to be reverted, disrupting the liquidation flow. This will result in a bad debt for the platform.

Code Snippet

https://github.com/sherlock-audit/2023-12-jojo-exchange-update/blob/main/smart-contract-EVM/src/JUSDBank.sol#L186C1-L199C91

Tool used

Manual Review

Recommendation

Skip the repayment for USDC Blacklisted users or create a new mapping and withdraw function for storing liquidated USDC that has to be claimed by liquidated users

sherlock-admin2 commented 9 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid because { this is invalid due to the impact mentioned; and according to the sherlock's rule VII. number 9 this is an invalid findings}

nevillehuang commented 9 months ago

Invalid, known issue seen here

0xllill commented 9 months ago

@nevillehuang It wasn't referenced on the known issues of the contest and it hasn't been fixed no ?