This repository has been archived by the owner on May 26, 2023. It is now read-only.
Ruhum - Positions won't be liquidatable at the correct threshold because of an accounting issue in withdrawLend()
#120
Labels
Duplicate
A valid issue that is a duplicate of an issue with `Has Duplicates` label
High
A valid High severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
Ruhum
high
Positions won't be liquidatable at the correct threshold because of an accounting issue in
withdrawLend()
Summary
When a deposit is withdrawn from the SoftVault contract it takes a fee. When the user's position is modified that fee is not taken into account causing the position to be reduced by fewer tokens than it should. The liquidation threshold will be reached later than it should be for that position.
Vulnerability Detail
Impact
Alice's position won't be liquidatable at the correct time.
Code Snippet
Both the HardVault and SoftVault can take a fee on withdrawal: SoftVault & HardVault
The fee is subtracted from the final return value
withdrawAmount
. That value is used to reduce the caller's position inBlueBerryBank.withdrawLend()
: https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/BlueBerryBank.sol#L664-L704The position's
underlyingAmount
value is used to determine its risk: https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/BlueBerryBank.sol#L477-L495Because
cv
is a larger value than it should be,risk
will be a lower number. It won't reach the liquidation threshold because the internal accounting is broken.Tool used
Manual Review
Recommendation
The vault should return the full amount and the fee should be distributed through the BlueBerryBank contract.
Duplicate of #33
The text was updated successfully, but these errors were encountered: