Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Full liquidation of vault will not be possible when there is a left over margin and the vault recipient is blacklisted. #24

Closed
c4-bot-1 opened this issue Jun 13, 2024 · 4 comments
Closed

Full liquidation of vault will not be possible when there is a left over margin and the vault recipient is blacklisted. #24

c4-bot-1 opened this issue Jun 13, 2024 · 4 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-42 🤖_27_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality

Comments

@c4-bot-1
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2024-05-predy/blob/main/src/libraries/logic/LiquidationLogic.sol#L89-L100

Vulnerability details

Impact

Full liquidation of vault will not be possible when there is a left over margin and the vault recipient is blacklisted.

Proof of Concept

// ...
library LiquidationLogic {
    // ...
    function liquidate(
        uint256 vaultId,
        uint256 closeRatio,
        GlobalDataLibrary.GlobalData storage globalData,
        bytes memory settlementData
    ) external returns (IPredyPool.TradeResult memory tradeResult) {
        if (!hasPosition) {
            int256 remainingMargin = vault.margin;

            if (remainingMargin > 0) {
                if (vault.recipient != address(0)) {
                    // Send the remaining margin to the recipient.
                    vault.margin = 0;

                    sentMarginAmount = uint256(remainingMargin);
                    
                  ERC20(pairStatus.quotePool.token).safeTransfer(vault.recipient, sentMarginAmount); // <=== Audit
                }
            } else if (remainingMargin < 0) {
                // ...
            }
        }
    }
}

At the end of a full liquidation process, any left over margin is sent to the vault recipient.

If the vault recipient is blacklisted by the token contract (for example USDC and USDT), the transfer will revert making the full liquidation of the vault impossible.

This can happen if :

  • The vault recipient is blacklisted after interacting with the protocol.
  • A pair doesn't have whitelist enabled and allows any traders. A trader can intentionally set the vault recipient for an owned vault to a blacklisted address after interacting with the protocol.

Tools Used

Manual Review

Recommended Mitigation Steps

Add a try/catch to the transfer call when sending the left over margin to the vault recipient.

Assessed type

Other
@c4-bot-1 c4-bot-1 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jun 13, 2024
c4-bot-2 added a commit that referenced this issue Jun 13, 2024
@c4-bot-2
gumgumzum issue #24
843ab70
@c4-bot-12 c4-bot-12 added the 🤖_27_group AI based duplicate group recommendation label Jun 14, 2024
@howlbot-integration howlbot-integration bot added sufficient quality report This report is of sufficient quality duplicate-48 labels Jun 17, 2024
@c4-judge c4-judge added duplicate-42 partial-75 Incomplete articulation of vulnerability; eligible for partial credit only (75%) and removed duplicate-48 labels Jun 28, 2024
@c4-judge
Copy link
Contributor

alex-ppg marked the issue as partial-75

@imsrybr0
Copy link

Hi @alex-ppg,

Can you please let me know why this was marked as Partial-75 ?

My understanding is that vaults created by markets (PerpMarket and GammaMarket for example) are owned by those markets, so it's not possible to directly update the vault recipient in that case and this issue can only happen if the recipient is blacklisted after interacting with them or if an allowed market provides the ability to update the vault recipient.

Thank you

@alex-ppg
Copy link

alex-ppg commented Jul 4, 2024

Hey @imsrybr0, thank you for your contribution! I have re-instated a full reward for this submission as I had misread the recommended mitigation steps.

@c4-judge c4-judge added satisfactory satisfies C4 submission criteria; eligible for awards and removed partial-75 Incomplete articulation of vulnerability; eligible for partial credit only (75%) labels Jul 4, 2024
@c4-judge
Copy link
Contributor

c4-judge commented Jul 4, 2024

alex-ppg marked the issue as satisfactory

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-42 🤖_27_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@alex-ppg @imsrybr0 @c4-judge @c4-bot-1 @c4-bot-12