iamandreiski - Protocol admin / Pool Owner will not be able to offboard/delist an asset without breaking liquidations and other core functionalities #311
Labels
Duplicate
A valid issue that is a duplicate of an issue with `Has Duplicates` label
Medium
A Medium severity issue.
Reward
A payout will be made for this issue
Sponsor Disputed
The sponsor disputed this issue's validity
Won't Fix
The sponsor confirmed this issue will not be fixed
iamandreiski
Medium
Protocol admin / Pool Owner will not be able to offboard/delist an asset without breaking liquidations and other core functionalities
Summary
Once an asset has been whitelisted into the protocol, and is used as collateral, it can't be de-listed without breaking liquidations or core protocol functionalities.
There would be multiple reasons as to why this might be the case:
Root Cause
https://github.com/sherlock-audit/2024-08-sentiment-v2/blob/0b472f4bffdb2c7432a5d21f1636139cc01561a5/protocol-v2/src/RiskEngine.sol#L123-L127
When a certain asset needs to be whitelisted so that it can be used as a collateral/borrow token, the protocol admin/governance will introduce it by setting a valid oracle for it, i.e. other than address(0).
Once the oracle for the asset has been set in the protocol, it can be set as a collateral by the pool owner by setting a LTV for it.
The problem arises once this token has been utilized as a collateral it can no longer be removed without breaking core functionalities.
As mentioned in the summary there could be numerous reasons as to why a collateral would need to be de-listed, and some popular examples can be:
The pool owner can't set the LTV to 0, nor can the LTV bound be set as 0:
Global settings:
In case the oracle address is set as address(0), this would break liquidations, since when the liquidation would need to be validated in the
validateLiquidation()
function:Subsequently the function
isPositionHealthy()
would be called:The function above will fetch the asset and debt data of the position, so when the asset data is fetched via the
_getPositionAssetData()
:This would revert when
getAssetValue()
gets called:This is due to
getOracleFor()
reverting because of the oracle being set to address(0):Not being able to remove a compromised asset as collateral could hurt the protocol and lead to bad debt.
The protocol would have to rely on the users to remove the asset from their positions, which isn't an effective method as malicious users could refuse to do this in order to avoid liquidations.
Internal pre-conditions
External pre-conditions
Attack Path
Impact
The inability of the protocol to remove an asset as collateral without breaking core functionalities could lead to the amounting of bad debt in the protocol if the asset in-question is compromised.
PoC
/
Mitigation
Don't use the oracle setting as a way to determine whether an asset is accepted as collateral or not, implement an admin-controlled whitelisting mapping or allow for ltv to be set to 0 in special cases by protocol admin-only.
Duplicate of #282
The text was updated successfully, but these errors were encountered: