Skip to content
This repository has been archived by the owner on Dec 17, 2023. It is now read-only.

Latest commit

 

History

History
77 lines (64 loc) · 3.68 KB

080.md

File metadata and controls

77 lines (64 loc) · 3.68 KB
Raw

p0wd3r

medium

Credit account cannot redeem liquidate rewards after credit borrowing.

Summary

Credit account cannot redeem liquidate rewards after credit borrowing. This affects the normal function of the credit account. If you want to obtain liquidate rewards, you must first give up using credit.

Vulnerability Detail

Liquidate does not restrict the participation of credit accounts, so credit accounts should be entitled to normal liquidation rewards. https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/protocol/pool/IronBank.sol#L480

The final result of liquidation is to increase the liquidator's supply through _transferIBToken. https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/protocol/pool/IronBank.sol#L877-L882

        unchecked {
            m.userSupplies[from] = fromBalance - amount;
            // Overflow not possible: the sum of all balances is capped by totalSupply, and the sum is preserved by
            // decrementing then incrementing.
            m.userSupplies[to] += amount;
        }

If the liquidator wants to obtain actual reward tokens, they need to acquire them through redeem. However, in redeem, it is necessary to check the liquidity of the account. https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/protocol/pool/IronBank.sol#L432-L448

        // Update storage.
        unchecked {
            m.userSupplies[from] = userSupply - ibTokenAmount;
            m.totalCash = totalCash - amount;
            // Underflow not possible: ibTokenAmount <= userSupply <= totalSupply.
            m.totalSupply -= ibTokenAmount;
        }

        // Check if need to exit the market.
        if (isRedeemFull && _getBorrowBalance(m, from) == 0) {
            _exitMarket(market, from);
        }

        IBTokenInterface(m.config.ibTokenAddress).burn(from, ibTokenAmount); // Only emits Transfer event.
        IERC20(market).safeTransfer(to, amount);

        _checkAccountLiquidity(from);

But for a credit account, borrowing does not require checking liquidity, that is, you can borrow without supplying. https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/protocol/pool/IronBank.sol#L389-L394

        if (isCreditAccount(from)) {
            require(from == to, "credit account can only borrow to itself");
            require(creditLimits[from][market] >= newUserBorrowBalance, "insufficient credit limit");
        } else {
            _checkAccountLiquidity(from);
        }

This leads to the following scenario:

  1. Credit account borrow normally without supply.
  2. Credit account liquidate other accounts.
  3. When a credit account wants to withdraw the liquidation reward, it cannot pass the liquidity check in redeem because there is no supply left in the credit account at the end of redeem, combined with its previous borrow balance.

Impact

Credit account cannot redeem liquidate rewards after credit borrowing. This affects the normal function of the credit account. If you want to obtain liquidate rewards, you must first give up using credit.

Code Snippet

https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/protocol/pool/IronBank.sol#L480 https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/protocol/pool/IronBank.sol#L877-L882 https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/protocol/pool/IronBank.sol#L432-L448 https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/protocol/pool/IronBank.sol#L389-L394

Tool used

Manual Review

Recommendation

If the from in redeem is a credit account, skip the liquidity check because credit accounts can only obtain supply during liquidation.