top of page

HIGH - Iron Bank - Liquidator is not credited with correct collateral amount

Target


Bug Description In seizeInternal(), accountCollateralTokens[liquidator] is only increased by collateralTokens and not by up to seizeTokens amount. The delta, which is called buffer in getCollateralTokens(), is not accounted for. It must be credited to the liquidator unless the collateral cap is reached.

Impact If the liquidator has called enterMarket() and therefore using the seized cToken as collateral, it will be under-counted which may cause a suprising liquidation to the user.

Risk Breakdown Difficulty to Exploit: Medium

Weakness: Wrong calculation of data

Recommendation Seperate subtraction of borrower accountCollateralTokens and addition of liquidator accountCollateralTokens. Make sure to increase collateral through increaseUserCollateralInternal(seizeTokens) as it protects from overpassing the collateral cap limit.

References CCollateralCapERC20.sol - seizeInternal(), getCollateralTokens().


Proof of Concept

  1. User A has negative liquidity, has collateral token A and borrowed token B

  2. User B has collateral token A, cash token B and borrowed token C. He calls liquidate(), pays token B and seizes token A. His collateral is under-calculated.

  3. token C rises in value, User B now has negative liquidity even though he called enterMarket on A and has enough A as collateral.

  4. User C may now repay token C and seize user B's token A.


 

Iron Bank decided they can live with this scenario and will not fix.

0 comments

Recent Posts

See All

Comentarios


bottom of page