Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Users cannot eliminate the liquidation risk when the CR falls below the liquidation CR by repaying partially #78

Closed
c4-bot-10 opened this issue Jul 1, 2024 · 3 comments
Closed

Users cannot eliminate the liquidation risk when the CR falls below the liquidation CR by repaying partially #78

c4-bot-10 opened this issue Jul 1, 2024 · 3 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-107 🤖_73_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality

Comments

@c4-bot-10
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/actions/Compensate.sol#L120-L125
https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/Size.sol#L250

Vulnerability details

Impact

When users' CR falls below the liquidation CR, their positions become liquidatable, and users will experience loss through liquidation.
To avoid this, users should try to increase their CR by depositing more collateral or repaying their debts.
However, repaying the full debt can be difficult, so there is a compensate function that allows users to repay their debts partially.

The compensate function checks whether the user's CR is larger than the liquidation CR.
In scenarios where collateral prices fall suddenly and users' CR falls below the liquidation CR, users need to try to increase their CR.
It's not always possible for users to have additional collateral, and repaying the full debt before maturity is not effective.

Some users will try to partially repay their debts using their USDC tokens.
However, the CR will remain unchanged, and their attempt will be reverted due to their CR is still below the liquidation CR.
This means that their positions could still be liquidated, leading to losses.

Proof of Concept

Imagine Bob borrows 100 USDC from Alice and has enough WETH as collateral.
The WETH price suddenly falls, and Bob's CR becomes 129, while the current liquidation CR is 130.
This means that Bob's debt position is liquidatable.
To avoid loss, Bob tries to repay his debt partially.
For example, he has 50 USDC and attempts to split his 100 USDC debt into two smaller debts of 50 USDC each, then repay one of them.

function executeCompensate(State storage state, CompensateParams calldata params) external {
    if (params.creditPositionToCompensateId == RESERVED_ID) {
        creditPositionToCompensate = state.createDebtAndCreditPositions({  // @audit, here
            lender: msg.sender,
            borrower: msg.sender,
            futureValue: amountToCompensate,
            dueDate: debtPositionToRepay.dueDate
        });
    } else {
      
    }

    
    state.reduceDebtAndCredit(
        creditPositionWithDebtToRepay.debtPositionId, params.creditPositionWithDebtToRepayId, amountToCompensate
    );
}

However, his attempt will be reverted due to the last check in the compensate function.

function compensate(CompensateParams calldata params) external payable override(ISize) whenNotPaused {
    state.validateCompensate(params);
    state.executeCompensate(params);
    state.validateUserIsNotUnderwater(msg.sender); // @audit, here
}

His CR remains 129, which is still less than 130.
As a result, his 100 USDC debt position will be liquidated, leading to a loss.

Of course, in the compensate function, the user's CR can decrease when there is a fragmentation fee.
However, in most cases, the CR can increase when users try to compensate using already existing credit positions or remain unchanged when creating new debt and credit positions.
Therefore, it is sufficient to revert only when the CR decreases and is less than the liquidation CR.
If there is no decrease in CR, this action will benefit the protocol's health.

Please add below test to the test/local/actions/Compensate.t.sol:

function test_Compensate_compensate_fail_underwater() public {
    _deposit(alice, usdc, 100e6);

    _deposit(bob, usdc, 50e6);
    _deposit(bob, weth, 129e18);

    _buyCreditLimit(alice, block.timestamp + 365 days, YieldCurveHelper.pointCurve(365 days, 0.03e18));
    uint256 debtPositionId = _sellCreditMarket(bob, alice, RESERVED_ID, 100e6, 365 days, true);
    uint256 creditPositionId = size.data().nextCreditPositionId - 1;

    _setPrice(1e18);

    vm.prank(bob);
    vm.expectRevert(
        abi.encodeWithSelector(
            Errors.USER_IS_UNDERWATER.selector, bob, 1290000000000000000
        )
    );
    size.compensate(
        CompensateParams({
            creditPositionWithDebtToRepayId: creditPositionId,
            creditPositionToCompensateId: RESERVED_ID,
            amount: 50e6
        })
    );
}

Tools Used

Recommended Mitigation Steps

Revert only when the CR decreases and is less than the liquidation CR.

Assessed type

Invalid Validation
@c4-bot-10 c4-bot-10 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jul 1, 2024
c4-bot-8 added a commit that referenced this issue Jul 1, 2024
@c4-bot-8
ether_sky issue #78
ae98309
@c4-bot-11 c4-bot-11 added the 🤖_73_group AI based duplicate group recommendation label Jul 2, 2024
@howlbot-integration howlbot-integration bot added primary issue Highest quality submission among a set of duplicates sufficient quality report This report is of sufficient quality labels Jul 4, 2024
@aviggiano
Copy link

This is a duplicate of #107

@c4-judge
Copy link
Contributor

hansfriese marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Jul 10, 2024
@c4-judge
Copy link
Contributor

hansfriese marked the issue as duplicate of #107

@c4-judge c4-judge added duplicate-107 and removed primary issue Highest quality submission among a set of duplicates labels Jul 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-107 🤖_73_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@aviggiano @c4-judge @c4-bot-10 @c4-bot-11