-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Borrower can frontrun liquidator to block liquidation by adding a tiny premium amount to extend the loan start time and roll over the loan term infinitely #4
Comments
0xleastwood marked the issue as primary issue |
Good discovery, but we think this by design is covered by the If LP calls Happy to discuss further along this line. If there's still attack angle, please provide a coded PoC. Thanks! |
Consider the case when the original borrower that hold NFT does not implement the function reclaimLiquidity. also,
before lender calls reclaimLiquidity, every time the borrower add a tiny premium, the position will be extended by 7 days even when the reclaimLiquidity and the addPremium are called at the same time (borrower frontrun liquidator's reclaimLiquidity to add tiny premium), the loan. term can still be extended by 7 days mainly because we are using > instead of >= if (lps.getRenewalCutoffTime(lien.tokenId) > lien.startTime) revert Errors.RenewalDisabled(); |
Yes, the |
0xleastwood marked the issue as duplicate of #33 |
It should be noted I think this issue was missing some key points that was outlined in #33. I will give partial credit instead. |
0xleastwood marked the issue as partial-50 |
0xleastwood changed the severity to 2 (Med Risk) |
0xleastwood marked the issue as full credit |
0xleastwood marked the issue as satisfactory |
Lines of code
https://github.com/code-423n4/2023-12-particle/blob/a3af40839b24aa13f5764d4f84933dbfa8bc8134/contracts/protocol/ParticlePositionManager.sol#L365
https://github.com/code-423n4/2023-12-particle/blob/a3af40839b24aa13f5764d4f84933dbfa8bc8134/contracts/libraries/Lien.sol#L46
Vulnerability details
Impact
Borrower can frontrun to block liquidation by adding a tiny premium to update the loan start time
Proof of Concept
Please note the liquidation considition check
if
the loan should be subject to liquidation
however, borrower can keep enough premium to infinitely roll over the LOAN_TERM can adding a tiny amount of premium (even 1 wei of token or 0 amount of premium)
the borrower needs to call addPremium
this would trigger
which calls this line of code
the lien start time is reset to block.timestamp
so basically, the third condition
will never to true
then Borrower can frontrun liquidator to block liquidation by adding a tiny premium amount to extend the loan start time and roll over the loan term infnitely
the impact is severe, this borrower can make sure lender never get NFT position orignal liquidity back as long as the premium is sufficient
Tools Used
Manual Review
Recommended Mitigation Steps
one of the option is do not update lien start time when user add new premium
Assessed type
MEV
The text was updated successfully, but these errors were encountered: