santipu03
commented
4 months ago This issue is invalid because it's wrong in its calculations and it fails to demonstrate the validity of the issue.
Closed sherlock-admin4 closed 4 months ago
santipu03
commented
4 months ago This issue is invalid because it's wrong in its calculations and it fails to demonstrate the validity of the issue.
almurhasan
high
Liquidation will not work for users for a scenario
Summary
Liquidation will not work for users for a scenario
Vulnerability Detail
Let’s assume, Alice has deposited 100e18 in market1.
Alice calls function borrowAtMaturity with maturity 1745797051(which is 28 april,2025) and borrow 10e18(which is 20e18 in market1) from market2. function borrowAtMaturity calls the function setMaturity.
See function setMaturity, as encoded = 0, so function setMaturity return [ maturity | (1 << 32)] = 1745797051 | 4294967296 = 6040764347. So Alice's account.fixedborrow is set to 6040764347.
Afterthat, alice again calls the function borrowAtMaturity with maturity 1748389051 and borrow 10e18 (which is 20e18 in market1) from market2. function borrowAtMaturity calls the function setMaturity.
See the function setMaturity, here alice’s baseMaturity = encoded & ((1 << 32) - 1) = 6040764347 & 4294967295 = 1745797051. As encoded is not equal to 0 and maturity>basematurity , so this executes the else statement of setmaturity function where range = (1748389051-1745797051)/2419200 = 259200/2419200 = 1. So setmaturity returns 6040764347|(1<<33) = 6040764347|8589934592 = 14630698939. Now Alice's account.fixedborrows is updated to 14630698939.
Now alice calls the repayatmaturity function with maturity 1745797051 to repay the full maturity amount, as full amount is repaid, so fixedBorrowPositions[maturity][borrower] for alice is deleted and clearmaturity function is called with encoded 14630698939 and maturity 1745797051.
See function clearMaturity, here encoded == maturity is false i.e 0, encoded ==0 is false i.e 0, so (encoded == 0 || encoded == maturity | (1 << 32)) gives value 4294967296 which is a non-zero value. So the statement is true and this will return 0. So alice’s account.fixedborrow is set to 0
Now alice becomes liquidable and the liquidate function(market2) is called with alice as borrower, so the liquidate function will revert. Let’s see why? See liquidate function, as alice’s account.fixedBorrows = 0, so packedMaturities 0>>32 = 0.but liquidate function will only work when packedMaturities is not zero but here packedMaturities is zero and liquidation will revert.
Impact
Liquidation will not work for users for a scenario
Code Snippet
https://github.com/sherlock-audit/2024-04-interest-rate-model/blob/main/protocol/contracts/Market.sol#L561
Tool used
Manual Review
Recommendation
implement properly