Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

koxuan - user cannot closePosition when borrow token is removed from whitelist #11

Closed
github-actions bot opened this issue Mar 1, 2023 · 2 comments
Closed

koxuan - user cannot closePosition when borrow token is removed from whitelist #11

github-actions bot opened this issue Mar 1, 2023 · 2 comments
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Non-Reward This issue will not receive a payout Sponsor Disputed The sponsor disputed this issue's validity Won't Fix The sponsor confirmed this issue will not be fixed

Comments

@github-actions
Copy link

github-actions bot commented Mar 1, 2023

koxuan

medium

user cannot closePosition when borrow token is removed from whitelist

Summary

If borrowed token is removed from collateral list, user's position cannot be closed as he is unable to repay his loan.

Vulnerability Detail

Notice that onlyWhitelistedToken is used as a modifer, in the event that the borrow token of the position is removed from whitelist, repay will fail which means that user position cannot be closed. See code snippet for the call stack from closePosition to repay.

    function repay(address token, uint256 amountCall)
        external
        override
        inExec
        poke(token)
        onlyWhitelistedToken(token)
    {
        if (!isRepayAllowed()) revert REPAY_NOT_ALLOWED();
        (uint256 amount, uint256 share) = repayInternal(
            POSITION_ID,
            token,
            amountCall
        );
        emit Repay(POSITION_ID, msg.sender, token, amount, share);
    }

Impact

User cannot close position if the borrow token of the position is removed from whitelist.

Code Snippet

IchiVaultSpell.sol#L357-L364
IchiVaultSpell.sol#L394-L401
IchiVaultSpell.sol#L323
BasicSpell.sol#L108-L113
BlueBerryBank.sol#L740-L754

Tool used

Manual Review

Recommendation

Recommend allowing repay to work for non whitelisted token so that user can close their position even when the borrowed token is removed from whitelist.
@github-actions github-actions bot added Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Medium A valid Medium severity issue labels Mar 1, 2023
This was referenced Mar 1, 2023
Closed
Closed
Closed
@Gornutz Gornutz added Sponsor Disputed The sponsor disputed this issue's validity Won't Fix The sponsor confirmed this issue will not be fixed labels Mar 8, 2023
@Gornutz
Copy link

Gornutz commented Mar 8, 2023

Tokens that are removed from the whitelist go through a wind-down period which should be sufficient for all users to close their position.

@hrishibhat
Copy link
Contributor

Also whitelisting tokens is an admin function.

@sherlock-admin sherlock-admin added Non-Reward This issue will not receive a payout and removed Medium A valid Medium severity issue labels Mar 19, 2023
@pauliax pauliax mentioned this issue May 20, 2023
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Non-Reward This issue will not receive a payout Sponsor Disputed The sponsor disputed this issue's validity Won't Fix The sponsor confirmed this issue will not be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hrishibhat @Gornutz @sherlock-admin