This repository has been archived by the owner on Nov 5, 2023. It is now read-only.
0x52 - Issue 290 from previous contest has not been fully addressed by fixes #117
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
Medium
A valid Medium severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
Comments
github-actions
bot
added
Medium
This was referenced May 3, 2023
Gornutz
added
Sponsor Confirmed
|
Fix looks good. After repayment is reenabled, a warm up period prevents liquidations for a short period. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
0x52
medium
Issue 290 from previous contest has not been fully addressed by fixes
Summary
Issue 290 from the previous contest points out that users may be liquidated without the chance to repay their debt. Liquidate was changed to only be allowed when repayment was allowed. While this does address some of the problem this will still fail to protect users who become liquidatable during the period of time that repay has been disabled.
MEV bots are typically used to liquidate positions since it is always more profitable to liquidate the vault even if a user tries to pay off their debt on the same black that repay is enabled, they will still be liquidated because of frontrunning.
Vulnerability Detail
See summary.
Impact
Users who become liquidatable during a repay pause will still be unable to save their position
Code Snippet
BlueBerryBank.sol#L487-L548
Tool used
Manual Review
Recommendation
When repay is paused and then resumed, put a timer that prevents liquidations for some amount of time after (i.e. 4 hours) so that users can fairly repay their position after repayment has been resumed.
The text was updated successfully, but these errors were encountered: