This repository has been archived by the owner on Mar 10, 2024. It is now read-only.
panprog - liquidatePositionsPartyA limits partyB loss to partyB allocated balance, which can lead to inflated partyB balance and loss of funds for protocol users
#6
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
High
A valid High severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
Comments
github-actions
bot
added
High
MoonKnightDev
added
Sponsor Confirmed
sherlock-admin2
changed the title
liquidatePositionsPartyA limits partyB loss to partyB allocated balance, which can lead to inflated partyB balance and loss of funds for protocol usersliquidatePositionsPartyA limits partyB loss to partyB allocated balance, which can lead to inflated partyB balance and loss of funds for protocol users
|
Fixed Code PR: SYMM-IO/protocol-core#36 |
|
Verified. Fixed in PR 36 |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
panprog
high
liquidatePositionsPartyAlimits partyB loss to partyB allocated balance, which can lead to inflated partyB balance and loss of funds for protocol usersSummary
If partyB has positions both in a high profit and in a high loss, so that total upnl is much smaller than individual positions upnl, then partyB can deallocate most (or even all) of its funds. During partyA liquidation,
liquidatePositionsPartyAlimits partyB loss to the current allocated balance of partyB. In this case there is a big difference of the final results depending on order of position liquidations:If such liquidation happens (intentional or not), partyB will have much more funds than it should at the expense of the other users: protocol will owe users more funds than it has, which can lead to bank run and the last users being unable to withdraw.
Vulnerability Detail
Example Scenario:
Position 1: upnl = -960, cva+lf = 10, mm=10
Position 2: upnl = +1000, cva+lf = 10, mm=10
Total cva+lf = 20, total mm=20
PartyB has allocated balance = 0 (available = 0 + 1000 - 960 = 40 >= 20 - not liquidatable)
Party A is liquidated:
amount= 960amountToDeduct= 0 (because partyB allocated balance = 0)partyB allocatedBalance remains 0
amount= 1000partyB allocatedBalance increases by 1000 (is set to 1000)
The result: PartyB should have a balance of less than 60 (upnl+cva), but it has 1000 instead!
Impact
In some situations during partyA liquidations, PartyB balance is increased significantly while no funds enter the protocol, meaning protocol debt to users increases and is greater than protocol funds. This can cause a bank run, since the last users to withdraw will be unable to do so.
Code Snippet
amountToDeductis calculated as minimum between partyB loss and partyB balance. This amount is deducted from current partyB allocated balance.https://github.com/sherlock-audit/2023-08-symmetrical/blob/main/symmio-core/contracts/facets/liquidation/LiquidationFacetImpl.sol#L163-L166
Tool used
Manual Review
Recommendation
Calculate total (signed) pnl for positions for each partyB before applying it:
amountToDeductshould be for all positions combined for a particular partyB instead of separate positions.The text was updated successfully, but these errors were encountered: