nobody2018 - Liquidation will fail in certain scenario

[sherlock-admin]

nobody2018

medium

Liquidation will fail in certain scenario

Summary

When an external protocol adds a new reward token, oracle does not support getting the price of this token. This will cause  BlueBerryBank#getPositionValue to revert, causing all transactions that call this function to fail.

Vulnerability Detail

BlueBerryBank#getPositionValue is used to calculate the value of a certain position, including collateral token and reward tokens of external protocols. It uses the IERC20Wrapper#pendingRewards function to get the reward token array of the external protocol, and then get  the price of each reward token by CoreOracle#getTokenValue.

function getPositionValue(
        uint256 positionId
    ) public view override returns (uint256 positionValue) {
        ...
        } else {
            ...

            uint rewardsValue;
->          (address[] memory tokens, uint256[] memory rewards) = IERC20Wrapper(
                pos.collToken
            ).pendingRewards(pos.collId, pos.collateralSize);
            for (uint256 i; i < tokens.length; i++) {
->              rewardsValue += oracle.getTokenValue(tokens[i], rewards[i]);
            }

            return collValue + rewardsValue;
        }
    }

CoreOracle#getTokenValue internally calls the _getPrice function, which checks whether the value of routes[token] is non-zero.

function _getPrice(
        address token
    ) internal view whenNotPaused returns (uint256) {
        address route = routes[token];
->      if (route == address(0)) revert Errors.NO_ORACLE_ROUTE(token);
        uint256 px = IBaseOracle(route).getPrice(token);
        if (px == 0) revert Errors.PRICE_FAILED(token);
        return px;
    }

Obviously, a new reward token has no route. Eventually BlueBerryBank#getPositionValue will revert. Therefore, functions that call this function will revert. Here I give the flow of the two functions:

• BlueBerryBank#liquidate->isLiquidatable->getPositionRisk->getPositionValue->oracle.getTokenValue
• BlueBerryBank#execute->isLiquidatable->getPositionRisk->getPositionValue->oracle.getTokenValue

Impact

Both BlueBerryBank#liquid and BlueBerryBank#execute will be affected. Due to the importance of liquidation time, untimely liquidation can result in financial losses for both parties involved in the liquidation.

Code Snippet

https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/BlueBerryBank.sol#L408-L413

https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/oracle/CoreOracle.sol#L74

Tool used

Manual Review

Recommendation

--- a/blueberry-core/contracts/BlueBerryBank.sol
+++ b/blueberry-core/contracts/BlueBerryBank.sol
@@ -409,7 +409,9 @@ contract BlueBerryBank is
                 pos.collToken
             ).pendingRewards(pos.collId, pos.collateralSize);
             for (uint256 i; i < tokens.length; i++) {
-                rewardsValue += oracle.getTokenValue(tokens[i], rewards[i]);
+                if (oracle.isTokenSupported(tokens[i])) {
+                    rewardsValue += oracle.getTokenValue(tokens[i], rewards[i]);
+                }
             }

Duplicate of #115