Bug Description In seizeInternal(), accountCollateralTokens[liquidator] is only increased by collateralTokens and not by up to seizeTokens amount. The delta, which is called buffer in getCollateralTokens(), is not accounted for. It must be credited to the liquidator unless the collateral cap is reached.
Impact If the liquidator has called enterMarket() and therefore using the seized cToken as collateral, it will be under-counted which may cause a suprising liquidation to the user.
Risk Breakdown Difficulty to Exploit: Medium
Weakness: Wrong calculation of data
Recommendation Seperate subtraction of borrower accountCollateralTokens and addition of liquidator accountCollateralTokens. Make sure to increase collateral through increaseUserCollateralInternal(seizeTokens) as it protects from overpassing the collateral cap limit.
References CCollateralCapERC20.sol - seizeInternal(), getCollateralTokens().
Proof of Concept
User A has negative liquidity, has collateral token A and borrowed token B
User B has collateral token A, cash token B and borrowed token C. He calls liquidate(), pays token B and seizes token A. His collateral is under-calculated.
token C rises in value, User B now has negative liquidity even though he called enterMarket on A and has enough A as collateral.
User C may now repay token C and seize user B's token A.
Iron Bank decided they can live with this scenario and will not fix.