top of page

CRIT - Compound - Liquidators may seize assets not held as collateral - Closed as known issue


Bug Description

When borrower's liquidation becomes negative, liquidators should only be able to seize assets held as collateral (provide liquidity), i.e. cTokens where user called enterMarkets(). However at no point is it validated that Comptroller's market[cToken].accountMembership == true. Therefore all user's assets are at risk of liquidation, and exitMarket has no effect except for reducing user's liquidity (i.e. does not make the asset safe).


Users may be liquidated out of assets they were not aware that are at risk. Therefore, if they have negative liquidity, assets could be taken without their permission.

Risk Breakdown

Difficulty to Exploit: Easy Weakness: Insufficient validation of input


Add the following check in seizeAllowed():

if (markets[cTokenCollateral].accountMembership[borrower] == false) { return uint(Error.MARKET_NOT_ENTERED); }


Compound Docs / Compound Code AAVE's implementation of setUserUseReserveAsCollateral()

Proof of Concept

  1. User calls mint() for 2 tokens (e.g. DAI, WBTC)

  2. User calls enterMarkets() for WBTC - positive liquidity

  3. User calls borrow(max_allowed) of some token (e.g. cUNI)

  4. WBTC's value drops by 30% / cUNI's value rises by 30% - user is in negative liquidity

  5. Liquidator calls liquidateBorrow(user, repay, cDAI)

  6. Liquidator successfully seizes user's cDAI holdings.


Recent Posts

See All


bottom of page