During the liquidation of the market, the target receiver will receive the collateral of the liquidated user and should transfer back to the market contract the asset tokens corresponding to the liquidated borrow amount. The excess tokens will be used to extract fees for the market. However, the caller of the liquidation can transfer the exact liquidated borrow amount, resulting in 0 excess assets.
Vulnerability Detail
In BBLiquidation._liquidateUser, it triggers _swapCollateralWithAsset to swap collateral to obtain asset shares. _liquidatorReceiver address is passed by the caller, so the caller can prepare to transfer the exact borrowShare of the asset. Afterward, no fee will be extracted in the _extractLiquidationFees function.
duc
medium
Liquidation's caller in the market can avoid fees
Summary
During the liquidation of the market, the target receiver will receive the collateral of the liquidated user and should transfer back to the market contract the asset tokens corresponding to the liquidated borrow amount. The excess tokens will be used to extract fees for the market. However, the caller of the liquidation can transfer the exact liquidated borrow amount, resulting in 0 excess assets.
Vulnerability Detail
In
BBLiquidation._liquidateUser
, it triggers_swapCollateralWithAsset
to swap collateral to obtain asset shares._liquidatorReceiver
address is passed by the caller, so the caller can prepare to transfer the exact borrowShare of the asset. Afterward, no fee will be extracted in the_extractLiquidationFees
function.Impact
Liquidation caller can avoid fees
Code Snippet
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/bigBang/BBLiquidation.sol#L262-L266
Tool used
Manual Review
Recommendation
Should extract fees of liquidation based on liquidated collateral bonus instead of receive shares from swap.
Duplicate of #33