The count should be reduced in PaprController.sol#purchaseLiquidationAuctionNFT instead of in PaprController.sol#startLiquidationAuction #267
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
grade-b
Q-30
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Comments
code423n4
added
3 (High Risk)
|
trust1995 marked the issue as duplicate of #186 |
|
trust1995 marked the issue as satisfactory |
c4-judge
added
the
satisfactory
c4-judge
added
2 (Med Risk)
|
trust1995 changed the severity to 2 (Med Risk) |
c4-judge
added
the
downgraded by judge
C4-Staff
added a commit
that referenced
this issue
Jan 6, 2023
c4-judge
added
QA (Quality Assurance)
|
trust1995 changed the severity to QA (Quality Assurance) |
c4-judge
added a commit
that referenced
this issue
Jan 7, 2023
|
Remove duplicate-186 label as requested by @trust1995 |
Simon-Busch
removed
the
satisfactory
|
Removed the satisfactory label as well and add grade-b label as requested by @trust1995 |
|
Dup to #185. We want to remove the NFT at the start of the auction otherwise the borrower could pay down debt, withdraw the NFT, and break the auction logic. |
|
It is treated as such. Since #186 was downgraded to QA all finds have been dupped to the warden's QA issue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/with-backed/papr/blob/9528f2711ff0c1522076b9f93fba13f88d5bd5e6/src/PaprController.sol#L326
Vulnerability details
Impact
Borrowers may be liquidated more assets than needed.
purchaseLiquidationAuctionNFT may perform incorrectly.
Proof of Concept
Because the collateral count is reduced in startLiquidationAuction @ PaprController.sol#L326, the total value and the
_maxDebt()of the vault is changed.This is not correct. The collateral being liquidating should count towards the value of the vault's
totalCollateraValue.For example, maxLTV is 50%, a vault has 10 NFT collaterals (worth 200 papr now) and has a debt of 101 papr, it is liquidatable now.
If the borrower add 1 more collateral to the vault, the vault will be safe (un-liquidatable) again.
But, if someone calls PaprController.sol#startLiquidationAuction first, at this point, if the borrower adds 1 more collateral to the vault, the vault will still be liquidatable.
In extreme cases this can lead to a loop:
a vault become liquidatable -> someone calls
startLiquidationAuction()-> borrower add 1 collateral -> someone callsstartLiquidationAuction()-> borrower add 1 collateral -> someone callsstartLiquidationAuction()-> ...In general, the borrower is vulnerable to liquidating more collaterals due to the LTV become lower.
The problem may not show up if the previous liquidation auction is always purchased in time, and can be mitigated by using the liquidationAuctionMinSpacing to limit aution intervals.
But the implementation itself is logically incorrect, these mitigation don't really solve it.
In addition, it could cause the
isLastCollateralvalue of purchaseLiquidationAuctionNFT to be incorrect.When all (multiple) collaterals of a vault have been started the liquidating auctions, because the count is subtracted advanced, the count of the vault is 0 now.
Then all these liquidating collaterals will be treated as the last collateral in purchaseLiquidationAuctionNFT.
As a result, the execution of x will make errors, including fund related errors.
Tools Used
Manual
Recommended Mitigation Steps
auctionCountfor each vault, increase it whenstartLiquidationAuction(), reduce it afterpurchaseLiquidationAuctionNFT().auctionCountwhen calculating the total value or_maxDebt()of the vault.auctionCountis not 0, removeCollateral, increaseDebt and increaseDebtAndSell are prohibited.The text was updated successfully, but these errors were encountered: