This repository has been archived by the owner on Nov 5, 2023. It is now read-only.
0x52 - BlueBerryBank#getPositionValue causes DOS if reward token is added that doens't have an oracle #115
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
Medium
A valid Medium severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
Comments
github-actions
bot
added
Medium
Gornutz
added
Sponsor Confirmed
|
Fix looks good. Reward token is only priced if currently supported by the oracle. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
0x52
high
BlueBerryBank#getPositionValue causes DOS if reward token is added that doens't have an oracle
Summary
collToken.pendingRewards pulls the most recent reward list from Aura/Convex. In the event that reward tokens are added to pools that don't currently have an oracle then it will DOS every action (repaying, liquidating, etc.). While this is only temporary it prevents liquidation which is a key process that should have 100% uptime otherwise the protocol could easily be left with bad debt.
Vulnerability Detail
BlueBerryBank.sol#L408-L413
Using the pendingRewards method pulls a fresh list of all tokens. When a token is added as a reward but can't be priced then the call to getTokenValue will revert. Since getPostionValue is used in liquidations, it temporarily breaks liquidations which in a volatile market can cause bad debt to accumulate.
Impact
Temporary DOS to liquidations which can result in bad debt
Code Snippet
BlueBerryBank.sol#L392-L417
Tool used
Manual Review
Recommendation
Return zero valuation if extra reward token can't be priced.
The text was updated successfully, but these errors were encountered: