Closed sherlock-admin2 closed 4 months ago
hyh
high
totalBorrow.elastic
totalBorrow.base
totalBorrow.elastic and totalBorrow.base aren't updated on regular liquidations in BB and SGLLiquidation.
totalBorrow.elastic and totalBorrow.base has to be updated on debt change, but they aren't.
Severe accounting mismatch leads to protocol-wide losses for the users.
totalBorrow.elastic and totalBorrow.base aren't updated on regular liquidations in SGLLiquidation:
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/singularity/SGLLiquidation.sol#L268-L295
function _updateBorrowAndCollateralShare( ... ) private returns (uint256 borrowAmount, uint256 borrowPart, uint256 collateralShare) { (borrowAmount, borrowPart, collateralShare) = _viewLiqudationBorrowAndCollateralShare( ... ); userBorrowPart[user] -= borrowPart; userCollateralShare[user] -= collateralShare; }
And in BBLiquidation:
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/bigBang/BBLiquidation.sol#L226-L228
userBorrowPart[user] -= borrowPart; userCollateralShare[user] -= collateralShare; }
Manual Review
function _updateBorrowAndCollateralShare( ... ) private returns (uint256 borrowAmount, uint256 borrowPart, uint256 collateralShare) { (borrowAmount, borrowPart, collateralShare) = _viewLiqudationBorrowAndCollateralShare( ... ); userBorrowPart[user] -= borrowPart; userCollateralShare[user] -= collateralShare; + totalBorrow.elastic -= borrowAmount.toUint128(); + totalBorrow.base -= borrowPart.toUint128(); }
userBorrowPart[user] -= borrowPart; userCollateralShare[user] -= collateralShare; + totalBorrow.elastic -= borrowAmount.toUint128(); + totalBorrow.base -= borrowPart.toUint128(); }
Duplicate of #49
Duplicate of https://github.com/sherlock-audit/2024-02-tapioca-judging/issues/49
maarcweiss
commented
4 months ago maarcweiss
commented
4 months ago
hyh
high
totalBorrow.elasticandtotalBorrow.basearen't updated in BB and SGL regular liquidationsSummary
totalBorrow.elasticandtotalBorrow.basearen't updated on regular liquidations in BB and SGLLiquidation.Vulnerability Detail
totalBorrow.elasticandtotalBorrow.basehas to be updated on debt change, but they aren't.Impact
Severe accounting mismatch leads to protocol-wide losses for the users.
Code Snippet
totalBorrow.elasticandtotalBorrow.basearen't updated on regular liquidations in SGLLiquidation:https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/singularity/SGLLiquidation.sol#L268-L295
And in BBLiquidation:
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/bigBang/BBLiquidation.sol#L226-L228
Tool used
Manual Review
Recommendation
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/singularity/SGLLiquidation.sol#L268-L295
And in BBLiquidation:
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/bigBang/BBLiquidation.sol#L226-L228
Duplicate of #49