This repository has been archived by the owner on Apr 28, 2024. It is now read-only.
handsomegiraffe - If loan is not liquidated in time, underflow may prevent loan from being liquidated using emergency mode #195
Labels
Duplicate
A valid issue that is a duplicate of an issue with `Has Duplicates` label
Escalation Resolved
This issue's escalations have been approved/rejected
Medium
A valid Medium severity issue
Reward
A payout will be made for this issue
Comments
github-actions
bot
added
Medium
sherlock-admin
changed the title
sherlock-admin
added
Non-Reward
|
Escalate Similar to 119 I think both issues are wrongly classified as invalid. In This bug is easily replicated using protocol's own default test file it("emergency repay will be successful for PosManNFT owner if the collateral is depleted", async () => {
let debt: LiquidityBorrowingManager.BorrowingInfoExtStructOutput[] =
await borrowingManager.getBorrowerDebtsInfo(bob.address);
await time.increase(debt[1].estimatedLifeTime.toNumber() + 1);
let borrowingKey = await borrowingManager.userBorrowingKeys(bob.address, 1);
let deadline = (await time.latest()) + 60;
let swap_params = ethers.utils.defaultAbiCoder.encode(
["address", "address", "uint256", "uint256"],
[constants.AddressZero, constants.AddressZero, 0, 0]
);
swapData = swapIface.encodeFunctionData("swap", [swap_params]);
let swapParams: ApproveSwapAndPay.SwapParamsStruct = {
swapTarget: constants.AddressZero,
swapAmountInDataIndex: 0,
maxGasForCall: 0,
swapData: swapData,
};
let params: LiquidityBorrowingManager.RepayParamsStruct = {
isEmergency: true, //emergency
internalSwapPoolfee: 0,
externalSwap: swapParams,
borrowingKey: borrowingKey,
swapSlippageBP1000: 0,
};
let loans: LiquidityManager.LoanInfoStructOutput[] = await borrowingManager.getLoansInfo(borrowingKey);
expect(loans.length).to.equal(3);
await expect(borrowingManager.connect(alice).repay(params, deadline))
.to.emit(borrowingManager, "EmergencyLoanClosure")
.withArgs(bob.address, alice.address, borrowingKey);
expect(await borrowingManager.getLenderCreditsCount(nftpos[0].tokenId)).to.be.equal(0);
expect(await borrowingManager.getLenderCreditsCount(nftpos[1].tokenId)).to.be.gt(0);
expect(await borrowingManager.getLenderCreditsCount(nftpos[2].tokenId)).to.be.gt(0);
expect(await borrowingManager.getLenderCreditsCount(nftpos[3].tokenId)).to.be.gt(0);
expect(await borrowingManager.getLenderCreditsCount(nftpos[4].tokenId)).to.be.gt(0);
expect(await borrowingManager.getLenderCreditsCount(nftpos[5].tokenId)).to.be.gt(0);
expect(await borrowingManager.getBorrowerDebtsCount(bob.address)).to.be.equal(2);
debt = await borrowingManager.getBorrowerDebtsInfo(bob.address);
loans = await borrowingManager.getLoansInfo(borrowingKey);
expect(loans.length).to.equal(2);
await time.increase(100); // @audit change this to 100_000 (~ 1 day)
deadline = (await time.latest()) + 60;
await expect(borrowingManager.connect(bob).repay(params, deadline)) // @audit repay will underflow here
.to.emit(borrowingManager, "EmergencyLoanClosure")
.withArgs(bob.address, bob.address, borrowingKey); Expecting an under-collateralized loan to not be liquidated in ~1 day is not unrealistic, after which the failure of emergency mode represents a significant impact to a critical protocol function. |
The escalation could not be created because you are not exceeding the escalation threshold. You can view the required number of additional valid issues/judging contest payouts in your Profile page, |
|
Escalate Similar to 119 I think both issues are wrongly classified as invalid. In This bug is easily replicated using protocol's own default test file it("emergency repay will be successful for PosManNFT owner if the collateral is depleted", async () => {
let debt: LiquidityBorrowingManager.BorrowingInfoExtStructOutput[] =
await borrowingManager.getBorrowerDebtsInfo(bob.address);
await time.increase(debt[1].estimatedLifeTime.toNumber() + 1);
let borrowingKey = await borrowingManager.userBorrowingKeys(bob.address, 1);
let deadline = (await time.latest()) + 60;
let swap_params = ethers.utils.defaultAbiCoder.encode(
["address", "address", "uint256", "uint256"],
[constants.AddressZero, constants.AddressZero, 0, 0]
);
swapData = swapIface.encodeFunctionData("swap", [swap_params]);
let swapParams: ApproveSwapAndPay.SwapParamsStruct = {
swapTarget: constants.AddressZero,
swapAmountInDataIndex: 0,
maxGasForCall: 0,
swapData: swapData,
};
let params: LiquidityBorrowingManager.RepayParamsStruct = {
isEmergency: true, //emergency
internalSwapPoolfee: 0,
externalSwap: swapParams,
borrowingKey: borrowingKey,
swapSlippageBP1000: 0,
};
let loans: LiquidityManager.LoanInfoStructOutput[] = await borrowingManager.getLoansInfo(borrowingKey);
expect(loans.length).to.equal(3);
await expect(borrowingManager.connect(alice).repay(params, deadline))
.to.emit(borrowingManager, "EmergencyLoanClosure")
.withArgs(bob.address, alice.address, borrowingKey);
expect(await borrowingManager.getLenderCreditsCount(nftpos[0].tokenId)).to.be.equal(0);
expect(await borrowingManager.getLenderCreditsCount(nftpos[1].tokenId)).to.be.gt(0);
expect(await borrowingManager.getLenderCreditsCount(nftpos[2].tokenId)).to.be.gt(0);
expect(await borrowingManager.getLenderCreditsCount(nftpos[3].tokenId)).to.be.gt(0);
expect(await borrowingManager.getLenderCreditsCount(nftpos[4].tokenId)).to.be.gt(0);
expect(await borrowingManager.getLenderCreditsCount(nftpos[5].tokenId)).to.be.gt(0);
expect(await borrowingManager.getBorrowerDebtsCount(bob.address)).to.be.equal(2);
debt = await borrowingManager.getBorrowerDebtsInfo(bob.address);
loans = await borrowingManager.getLoansInfo(borrowingKey);
expect(loans.length).to.equal(2);
await time.increase(100); // @audit change this to 100_000 (~ 1 day)
deadline = (await time.latest()) + 60;
await expect(borrowingManager.connect(bob).repay(params, deadline)) // @audit repay will underflow here
.to.emit(borrowingManager, "EmergencyLoanClosure")
.withArgs(bob.address, bob.address, borrowingKey); Expecting an under-collateralized loan to not be liquidated in ~1 day is not unrealistic, after which the failure of emergency mode represents a significant impact to a critical protocol function. |
You've created a valid escalation! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
|
Thanks for escalating this one! Like mentioned in the escalation, consider checking #119 for additional details and POCs. |
|
Will be accepting the escalations and making this a medium. |
|
Result: |
|
Escalations have been resolved successfully! Escalation status:
|
sherlock-admin
added
Reward
sherlock-admin2
added
Escalation Resolved
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
handsomegiraffe
high
If loan is not liquidated in time, underflow may prevent loan from being liquidated using emergency mode
Summary
If roughly 500_000 seconds (~5 days) has passed and loan is not liquidated, emergency repayment will fail due to underflow causing repay function to revert
Vulnerability Detail
borrowingStorage.accLoanRatePerSeconds =
holdTokenRateInfo.accLoanRatePerSeconds -
FullMath.mulDiv(
uint256(-collateralBalance),
Constants.BP,
borrowing.borrowedAmount // new amount
);
When
collateralBalancegrows large enough, this part of therepayfunction will revertPOC
In line 421 of
WagmiLeverageTests.ts, if time is increased to 500_000, the next test that repays will fail with Arithmetic operation underflowed or overflowed outside of an unchecked block.Impact
Prevention of liquidity providers from recovering their funds from a loan under liquidation. May also have impact on regular liquidation but did not have time to check due submission close to end of contest
Code Snippet
https://github.com/sherlock-audit/2023-10-real-wagmi/blob/main/wagmi-leverage/contracts/LiquidityBorrowingManager.sol#L612C17-L618C23
Tool used
Manual Review
Recommendation
Handle possible underflow with additional checks before the calculation
Duplicate of #119
The text was updated successfully, but these errors were encountered: