0x52 - Blacklisted creditor can block all repayment besides emergency closure

[sherlock-admin]

0x52

medium

Blacklisted creditor can block all repayment besides emergency closure

Summary

After liquidity is restored to the LP, accumulated fees are sent directly from the vault to the creditor. Some tokens, such as USDC and USDT, have blacklists the prevent users from sending or receiving tokens. If the creditor is blacklisted for the hold token then the fee transfer will always revert. This forces the borrower to defualt. LPs can recover their funds but only after the user has defaulted and they request emergency closure.

Vulnerability Detail

https://github.com/sherlock-audit/2023-10-real-wagmi/blob/main/wagmi-leverage/contracts/abstract/LiquidityManager.sol#L306-L315

        address creditor = underlyingPositionManager.ownerOf(loan.tokenId);
        // Increase liquidity and transfer liquidity owner reward
        _increaseLiquidity(cache.saleToken, cache.holdToken, loan, amount0, amount1);
        uint256 liquidityOwnerReward = FullMath.mulDiv(
            params.totalfeesOwed,
            cache.holdTokenDebt,
            params.totalBorrowedAmount
        ) / Constants.COLLATERAL_BALANCE_PRECISION;

        Vault(VAULT_ADDRESS).transferToken(cache.holdToken, creditor, liquidityOwnerReward);

The following code is executed for each loan when attempting to repay. Here we see that each creditor is directly transferred their tokens from the vault. If the creditor is blacklisted for holdToken, then the transfer will revert. This will cause all repayments to revert, preventing the user from ever repaying their loan and forcing them to default.

Impact

Borrowers with blacklisted creditors are forced to default

Code Snippet

LiquidityManager.sol#L223-L321

Tool used

Manual Review

Recommendation

Create an escrow to hold funds in the event that the creditor cannot receive their funds. Implement a try-catch block around the transfer to the creditor. If it fails then send the funds instead to an escrow account, allowing the creditor to claim their tokens later and for the transaction to complete.

[fann95]

Fixed: RealWagmi/wagmi-leverage@3c17a39

[IAm0x52]

Fix looks good. Fee collection has been made generic instead of specific to protocol fees. Creditor fees are now cached and collected.