iq 200 user will exploit the interest amount distribution and avoid loss from liquidation
Summary
Malicious user will exploit the interest amount distribution and will dodge the losses from liquidation
Vulnerability Detail
interest amount distribution exploit
value of pool token shares can be increased by interest amount distributed from repayLoanCallback .However protocol implement that interest amount is distributed to pool right away after repayloanCallBack .So malicious users are able to see that transaction in mempool and front running atttack will be occured .Before the interest amount is added to pool , malicious user will mint the shares and after interest amount is added , they will burn the previous minted shares , take the interest distribution.This will be unfair for any other long term users.
dodging the losses from liquidation
Protocol implement that there will be loss for protocol at liquidation if certain amount of time is passed .This losses from liquidation is take into account that calculating the pool total value .Due to Protocol added that loss from liquidation into pool total value right away , there will be exploitation which is that malicious users see that transaction which is gonna occur the losses for protocol in the mempool, then malicious user front run and burn the shares before the loss is occured . The losses from liquidation can be huge which can happen if layer 2 sequencer go down for days . This will be unfair for rest of pool token shares holders .
OMEN
medium
iq 200 user will exploit the interest amount distribution and avoid loss from liquidation
Summary
Malicious user will exploit the interest amount distribution and will dodge the losses from liquidation
Vulnerability Detail
interest amount distribution exploit
value of pool token shares can be increased by interest amount distributed from repayLoanCallback .However protocol implement that interest amount is distributed to pool right away after repayloanCallBack .So malicious users are able to see that transaction in mempool and front running atttack will be occured .Before the interest amount is added to pool , malicious user will mint the shares and after interest amount is added , they will burn the previous minted shares , take the interest distribution.This will be unfair for any other long term users.
dodging the losses from liquidation
Protocol implement that there will be loss for protocol at liquidation if certain amount of time is passed .This losses from liquidation is take into account that calculating the pool total value .Due to Protocol added that loss from liquidation into pool total value right away , there will be exploitation which is that malicious users see that transaction which is gonna occur the losses for protocol in the mempool, then malicious user front run and burn the shares before the loss is occured . The losses from liquidation can be huge which can happen if layer 2 sequencer go down for days . This will be unfair for rest of pool token shares holders .
Impact
Code Snippet
https://github.com/sherlock-audit/2024-04-teller-finance/blob/main/teller-protocol-v2-audit-2024/packages/contracts/contracts/LenderCommitmentForwarder/extensions/LenderCommitmentGroup/LenderCommitmentGroup_Smart.sol#L459-L468
https://github.com/sherlock-audit/2024-04-teller-finance/blob/main/teller-protocol-v2-audit-2024/packages/contracts/contracts/LenderCommitmentForwarder/extensions/LenderCommitmentGroup/LenderCommitmentGroup_Smart.sol#L700-L708
Tool used
Manual Review
Recommendation
instead of distribute the interest amount and loss from liquidation instantly , distribute those interest and loss over the time .
Duplicate of #110