-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A2-security - Inaccurate Interest Rate Calculation in Liquidation Process #321
Comments
escalate |
You've created a valid escalation! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
If i may add also, This issue , issue 341, 257 and 145 should all be duplicated with 401. Root cause is about interest update not liquidity removal. |
I agree with the escalation and @Tomiwasa0 comment. #321, #341, #257, and #145 are duplicates of #401 because of the same root cause that the interest rate would be calculated wrong if the liquidation fee is not accounted in Planning to accept the escalation and duplicate #321, #341, #257, and #145 with #401. |
Result: |
Escalations have been resolved successfully! Escalation status:
|
@cvetanovv Can you please take a look at this comment on 401. |
A2-security
Medium
Inaccurate Interest Rate Calculation in Liquidation Process
Summary
The liquidation process in the
LiquidationLogic.sol
contract incorrectly calculates the interest rate for the collateral asset by underestimating the amount of liquidity taken. The calculation only considers the amount seized by the liquidator and ignores the additional liquidation fee sent to the protocol treasury. This leads to an inaccurate utilization ratio and consequently affects the liquidity index and the yield for depositors.Vulnerability Detail
LiquidationLogic.sol
contract involves seizing collateral from the violator and and then update the interest rate since some collateral will be leaving the protocol. The seized amount consists of two parts: the liquidation amount taken by the liquidator and the liquidation fee sent to the protocol treasury._burnCollateralTokens
function, which is responsible for updating the interest rates, only considers the liquidation amount taken by the liquidator (vars.actualCollateralToLiquidate
) when calculating the interest rate. It ignores the liquidation fee (vars.liquidationProtocolFeeAmount
) that is also sent to the treasury.Here's the relevant code snippet from
LiquidationLogic.sol
:The vulnerability lies in the fact that the liquidation fee, which is sent to the treasury, is not accounted for in the interest rate calculation, leading to an underestimation of the liquidity taken and an incorrect intrestRate. (lost of yield for suppliers since utilisationRation will be less than it should , and all intrestRate models are a utilisationRAtion functions).
Impact
Code Snippet
Tool used
Manual Review
Recommendation
_burnCollateralTokens
function should be updated to include the liquidation fee (vars.liquidationProtocolFeeAmount
) when calculating the interest rate.Duplicate of #401
The text was updated successfully, but these errors were encountered: