Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

trachev - Liquidation protocol fee is not considered when calculating interest rates after liquidations #257

Closed
sherlock-admin2 opened this issue Sep 10, 2024 · 0 comments
Closed

trachev - Liquidation protocol fee is not considered when calculating interest rates after liquidations #257

sherlock-admin2 opened this issue Sep 10, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Sep 10, 2024
edited by WangSecurity
Loading

trachev

Medium

Liquidation protocol fee is not considered when calculating interest rates after liquidations

Summary

When a liquidation occurs and interest rates of the collateral reserve are updated, the calculation of the new interest rates does not consider that liquidation protocol fees will also be withdrawn. This causes the collateral reserve interest rates to be higher than intended.

Root Cause

In _burnCollateralTokens when updateInterestRates is called, the value for the _liquidityTaken parameter is set to vars.actualCollateralToLiquidate. This is an issue as it does not include the value of the liquidation protocol fee, transferred to the treasury.
Those fees also need to be a part of _liquidityTaken as IReserveInterestRateStrategy(_reserve.interestRateStrategyAddress).calculateInterestRates will calculate the new interest rate based on the pool's balance of the asset. As the fee transfer is performed after the rates are updated, the asset balance of the pool will be incorrectly inflated by the value of the fees, causing calculateInterestRates to return a higher value and interest rates to be higher than intended.

Internal pre-conditions

  1. liquidationProtocolFeePercentage must be more than 0.

External pre-conditions

No response

Attack Path

  1. A liquidation occurs with actualCollateralToLiquidate equal to 10 ETH and liquidationProtocolFeeAmount equal to 1 ETH.
  2. In order to calculate what the collateral reserve interest rates should be, updateInterestRates is called in _burnCollateralTokens. There the pool's balance of the asset is inflated by 1 ETH of liquidation fees which are going to be transferred from the pool to the treasury after _burnCollateralTokens has been fully executed.
  3. Interest rates are wrongly calculated and are more than intended as _liquidityTaken does not include the 1 ETH of liquidation fees.

Impact

As a result, when a liquidation occurs interest rates will be higher than what the protocol intends.

PoC

No response

Mitigation

In _burnCollateralTokens when updateInterestRates is called, the value for the _liquidityTaken parameter should be set to vars.actualCollateralToLiquidate + the number of liquidation fees.

Duplicate of #401
@github-actions github-actions bot added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A High severity issue. labels Sep 20, 2024
@sherlock-admin3 sherlock-admin3 changed the title Curly Pineapple Armadillo - Liquidation protocol fee is not considered when calculating interest rates after liquidations trachev - Liquidation protocol fee is not considered when calculating interest rates after liquidations Oct 3, 2024
@sherlock-admin3 sherlock-admin3 added the Reward A payout will be made for this issue label Oct 3, 2024
@cvetanovv cvetanovv mentioned this issue Oct 17, 2024
Closed
@WangSecurity WangSecurity added Medium A Medium severity issue. and removed High A High severity issue. labels Oct 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@WangSecurity @sherlock-admin2 @sherlock-admin3