No minLoanSize means liquidators will have no incentive to liquidate small positions
#455
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
edited-by-warden
M-03
primary issue
Highest quality submission among a set of duplicates
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
sufficient quality report
This report is of sufficient quality
Comments
c4-bot-4
added
2 (Med Risk)
c4-pre-sort
added
the
sufficient quality report
|
0xEVom marked the issue as sufficient quality report |
|
0xEVom marked the issue as primary issue |
c4-pre-sort
added
the
primary issue
c4-sponsor
added
the
sponsor acknowledged
|
kalinbas (sponsor) acknowledged |
|
Will do the deployment with a reasonable minLoanSize. |
|
Normally, I would mark such issues as Low. But given that this issue provides a substantial reminder to the sponsor, I am retaining it as an M. Further solicit opinion from the sponsor and may downgrade it to an L. |
|
jhsagd76 marked the issue as satisfactory |
c4-judge
added
the
satisfactory
|
jhsagd76 marked the issue as selected for report |
c4-judge
added
the
selected for report
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2024-03-revert-lend/blob/435b054f9ad2404173f36f0f74a5096c894b12b7/src/V3Vault.sol#L550-L602
Vulnerability details
Summary
No
minLoanSizecan destabilise the protocolVulnerability Details
According to protocol team they plan to roll out the protocol with
minLoanSize = 0and adjust that number if needs be.This can be a big issue because there will be no incentive for liquidators to liquidate small underwater positions given the gas cost to do so would not make economic sense based on the incentive they would receive.
It also opens up a cheap attack path for would be attackers whereby they can borrow many small loans which will go underwater as they accrue interest but will not be liquidated.
Impact
Can push the entire protocol into an underwater state.
Underwater debt would first be covered by Protocol reserves and where they arent sufficient, lenders will bear the responsibility of the uneconomical clean up of bad debt so both the protocol and lenders stand to lose out.
Tools Used
Manual Review
Recommendations
Close the vulnerability by implementing a relaistic
minLoanSizewhich will incentivise liquidators to clean up bad debt.Assessed type
Other
The text was updated successfully, but these errors were encountered: