This repository has been archived by the owner on May 26, 2023. It is now read-only.
cducrest-brainbot - Fail to accrue interests on multiple token positions #140
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
High
A valid High severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
Comments
Gornutz
added
Sponsor Confirmed
sherlock-admin
added
Has Duplicates
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
cducrest-brainbot
high
Fail to accrue interests on multiple token positions
Summary
In
BlueBerryBank.solthe functionsborrow,repay,lend, orwithdrawLendcallpoke(token)to trigger interest accrual on concerned token, but fail to do so for other token debts of the concerned position. This could lead to wrong calculation of position's debt and whether the position is liquidatable.Vulnerability Detail
Whether a position is liquidatable or not is checked at the end of the
executefunction, the execution should revert if the position is liquidatable.The calculation of whether a position is liquidatable takes into account all the different debt tokens within the position. However, the debt accrual has been triggered only for one of these tokens, the one concerned by the executed action. For other tokens, the value of
bank.totalDebtwill be lower than what it should be. This results in the debt value of the position being lower than what it should be and a position seen as not liquidatable while it should be liquidatable.Impact
Users may be able to operate on their position leading them in a virtually liquidatable state while not reverting as interests were not applied. This will worsen the debt situation of the bank and lead to overall more liquidatable positions.
Code Snippet
execute checking isLiquidatable without triggering interests:
https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/BlueBerryBank.sol#L607
actions only poke one token (here for borrow):
https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/BlueBerryBank.sol#L709-L715
bank.totalDebt is used to calculate a position's debt while looping over every tokens:
https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/BlueBerryBank.sol#L451-L475
The position's debt is used to calculate the risk:
https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/BlueBerryBank.sol#L477-L495
The risk is used to calculate whether a debt is liquidatable:
https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/BlueBerryBank.sol#L497-L505
Tool used
Manual Review
Recommendation
Review how token interests are triggered. Probably need to accrue interests on every debt token of a position at the beginning of execute.
The text was updated successfully, but these errors were encountered: