Whitelist lender can prevent liquidation by removing all other lenders from whitelist #80
Labels
bug
Something isn't working
downgraded by judge
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Lines of code
https://github.com/code-423n4/2022-08-frax/blob/c4189a3a98b38c8c962c5ea72f1a322fbc2ae45f/src/contracts/FraxlendPairCore.sol#L911-L942
https://github.com/code-423n4/2022-08-frax/blob/c4189a3a98b38c8c962c5ea72f1a322fbc2ae45f/src/contracts/FraxlendPairCore.sol#L950-L1032
Vulnerability details
Impact
Lender blocks liquidations
Proof of Concept
FraxlendPair.sol#setApprovedLenders can be called by any whitelisted lender to both revoke and add approved lenders to the whitelist. A malicious lender could remove every other whitelisted lender from the pair then refuse to liquidate the position themselves, making it impossible to liquidate.
Exploiting this is straight forward. If the lending market is only whitelisted for lenders, the malicious lender could withdraw their lending position, deposit collateral and borrow everything else in the pool then remove all other lenders from the pool. Something like this could be used to open a high leverage zero risk position.
If the market has whitelist borrowers, the lender could easily collude with a borrower to pull off the attack.
Tools Used
Recommended Mitigation Steps
I don't see why FraxlendPairCore.sol#liquidate and liquidateClean can only be called by whitelist lenders. It is in the best interest of both parties if anyone can liquidate a position even in a whitelisted market. If it truly is desirable that only whitelist lenders are able to liquidate, then FraxlendPair.sol#setApprovedLenders should be modified to only allow lenders to add new lenders rather than remove current lenders.
The text was updated successfully, but these errors were encountered: