Skip to content
This repository has been archived by the owner on Apr 28, 2024. It is now read-only.

handsomegiraffe - Malicious liquidity provider can prevent liquidation of loan and loss of funds to other liquidity providers #95

Closed
sherlock-admin opened this issue Oct 23, 2023 · 0 comments
Closed

handsomegiraffe - Malicious liquidity provider can prevent liquidation of loan and loss of funds to other liquidity providers #95

sherlock-admin opened this issue Oct 23, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Oct 23, 2023
edited
Loading

handsomegiraffe

high

Malicious liquidity provider can prevent liquidation of loan and loss of funds to other liquidity providers

Summary

By supplying a loan and burning the Univswap V3 position after, a malicious liquidity provider can cause DOS to real wagmi and prevent liquidation of loan(s) and loss of funds to other liquidity providers.

Vulnerability Detail

A malicious liquidity provider could approve real wagmi to use his position for loans. After supplying the loan, the malicious actor could then burn their Uniswap V3 position NFT. This prevents repayment or liquidation of a loan, even through the emergency mode.

In the regular repayment/liquidation process, when _upRestoreLiquidityCache() is called, this external call :
underlyingPositionManager.positions(loan.tokenId); reverts with 'Invalid Token Id".

In the emergency process, when _calculateEmergencyLoanClosure() is called, this external call :
address creditor = underlyingPositionManager.ownerOf(loan.tokenId);reverts with 'ERC721: owner query for nonexistent token'.

Proof of Concept

In WagmiLeverageTests.ts, bob provides a WETH_USDT loan with tokenId 512099. As all liquidity is used for loans, by inserting await nonfungiblePositionManager.connect(bob).burn(nftpos[1].tokenId); before repay is called, these tests will fail :

  1. it("emergency repay will be successful for PosManNFT owner if the collateral is depleted") (L990)
  2. it("Loan liquidation will be successful for anyone if the collateral is depleted") (L1071)

Impact

As a result of the DOS,

  • Liquidation of the loan not possible, significant funds loss/stuck
  • Honest liquidity providers are unable to recover funds supplied to the loan (up to 7 per position)
  • An honest borrower is unable to repay, close the loan and recover collateral

Code Snippet

https://github.com/sherlock-audit/2023-10-real-wagmi/blob/main/wagmi-leverage/contracts/abstract/LiquidityManager.sol#L494

https://github.com/sherlock-audit/2023-10-real-wagmi/blob/main/wagmi-leverage/contracts/abstract/LiquidityManager.sol#L494

Tool used

Manual Review

Recommendation

Suggest to wrap external calls to underlyingPositionManager in try/catch and handle reverts by writing off loan from that specific liquidity position which has been burned.

Duplicate of #78
@github-actions github-actions bot added High A valid High severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Oct 26, 2023
@sherlock-admin sherlock-admin changed the title Orbiting Tweed Caterpillar - Malicious liquidity provider can prevent liquidation of loan and loss of funds to other liquidity providers handsomegiraffe - Malicious liquidity provider can prevent liquidation of loan and loss of funds to other liquidity providers Oct 30, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Oct 30, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin