Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

GalloDaSballo - Risk with Liquidation - Because of partnership requirement, caller may be unable to redeem during liquidation making it less likely for them to be willing to perform the liquidation #20

Open
github-actions bot opened this issue Jan 24, 2023 · 4 comments
Open

GalloDaSballo - Risk with Liquidation - Because of partnership requirement, caller may be unable to redeem during liquidation making it less likely for them to be willing to perform the liquidation #20

github-actions bot opened this issue Jan 24, 2023 · 4 comments
Labels
Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid

Comments

@github-actions
Copy link

GalloDaSballo

medium

Risk with Liquidation - Because of partnership requirement, caller may be unable to redeem during liquidation making it less likely for them to be willing to perform the liquidation

Summary

Due to the approval system with pvGLP, liquidations may be less likely

Vulnerability Detail

In times of intense price action, a liquidation may have to be performed on pvGLP.

The protocol will offer liquidate which will sweep funds out, this is fine and will work as intended because it relies on transferFrom.

However, a liquidator will receive the vault token, and may be unable to redeem it.

That's because redemptions have to be performed via plvGLP depositor which may not have approved the liquidators account.

This will make it less likely for liquidators to perform the operation as it may force either a manual operation (redemption can be performed by any EOA), or it will require further setup, reducing the number of operators willing to perform the liquidation in the time of need.

Impact

Code Snippet

  function _isEligibleSender() private view {
    if (
      msg.sender != tx.origin && whitelist.isWhitelisted(msg.sender) == false && partners[msg.sender].isActive == false
    ) revert UNAUTHORIZED();
  }

Tool used

Manual Review

Recommendation
@github-actions github-actions bot added the Medium A valid Medium severity issue label Jan 24, 2023
@r0ohafza
Copy link

Will be communication with the plutus team and update here accordingly to validate the issue.

@zobront
Copy link
Collaborator

zobront commented Jan 26, 2023

Will be communication with the plutus team and update here accordingly to validate the issue.

This seems to just be missing the fact that Sentiment accounts return true for whitelist.isWhitelisted(), so this isn't an issue.

@r0ohafza
Copy link

Will be communication with the plutus team and update here accordingly to validate the issue.

This seems to just be missing the fact that Sentiment accounts return true for whitelist.isWhitelisted(), so this isn't an issue.

The scenario you are referring to is of an account withdraw/redeem, but when an account is liquidated all plvGLP shares are transferred to the liquidator. This liquidator will not be able to redeem the shares and repay a flashloan used to repay the account debt.

@hrishibhat
Copy link
Contributor

Considering this issue as a valid medium.

@r0ohafza r0ohafza added the Sponsor Confirmed The sponsor acknowledged this issue is valid label Feb 1, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Feb 2, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@zobront @hrishibhat @sherlock-admin @r0ohafza