Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

trachev - The liquidation protocol fee is not reduced from the total supply shares, allowing liquidated borrowers to steal from other users #260

Closed
sherlock-admin2 opened this issue Sep 10, 2024 · 0 comments
Closed

trachev - The liquidation protocol fee is not reduced from the total supply shares, allowing liquidated borrowers to steal from other users #260

sherlock-admin2 opened this issue Sep 10, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A High severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Sep 10, 2024
edited by sherlock-admin3
Loading

trachev

High

The liquidation protocol fee is not reduced from the total supply shares, allowing liquidated borrowers to steal from other users

Summary

In executeLiquidationCall when collateral is withdrawn from the liquidated borrower and transferred to the liquidator the liquidation fee shares are not removed from the liquidated borrower's share balance. As a result, the liquidated borrower will have access to the fee shares, allowing them to withdraw assets that do not belong to them, essentially stealing from suppliers.

Root Cause

  • In _burnCollateralTokens, when withdrawCollateral is called, the amount parameter, which needs to represent the total collateral withdrawn from the liquidated user, is only set to vars.actualCollateralToLiquidate. This is an issue as vars.liquidationProtocolFeeAmount is also taken from the liquidated user's collateral, but the shares that the fee amount is worth are not removed from the collateral balance of the liquidated user.

Internal pre-conditions

  1. liquidationProtocolFeePercentage must be more than 0.

External pre-conditions

No response

Attack Path

  1. A liquidation occurs with actualCollateralToLiquidate equal to 10 ETH and liquidationProtocolFeeAmount equal to 1 ETH.
  2. 10 ETH worth of shares are removed from the liquidated user's supply balance when withdrawCollateral is called.
  3. However the 1 ETH of fees, which are also a part of the liquidatee's collateral, are transferred to the treasury, but 1 ETH worth of shares are not removed from the liquidated user's balance.
  4. As a result the liquidated user has access to 1 ETH worth of shares that do not belong to them anymore, and if they were withdrawn, the amount would be taken out of other innocent suppliers.

Impact

Funds will be stolen from innocent suppliers when a liquidation occurs.

PoC

No response

Mitigation

In _burnCollateralTokens, when withdrawCollateral is called, the amount parameter must be set to vars.actualCollateralToLiquidate + the number of liquidation fees.

Duplicate of #228
@github-actions github-actions bot added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A High severity issue. labels Sep 20, 2024
@sherlock-admin3 sherlock-admin3 changed the title Curly Pineapple Armadillo - The liquidation protocol fee is not reduced from the total supply shares, allowing liquidated borrowers to steal from other users trachev - The liquidation protocol fee is not reduced from the total supply shares, allowing liquidated borrowers to steal from other users Oct 3, 2024
@sherlock-admin3 sherlock-admin3 added the Reward A payout will be made for this issue label Oct 3, 2024
@trachevgeorgi trachevgeorgi mentioned this issue Oct 3, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A High severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin2 @sherlock-admin3