mstpr-brainbot - Liquidations can make debt stuck in the Lenders

[sherlock-admin2]

mstpr-brainbot

high

Liquidations can make debt stuck in the Lenders

Summary

During liquidation, the borrower's stored balance is used. If there's been a significant period where the interest hasn't been updated, the liquidator might only address the stored amount, excluding the accumulated interest.

Vulnerability Detail

Suppose Alice is eligible for liquidation and her recorded liabilities are 100 of token0 and none of token1. However, these are the "stored" values for Alice. Her actual balance becomes 101 once the latest interest accrues.

Now, Bob, the liquidator, steps in to liquidate Alice. But he doesn't account for the latest interest in the pool, so the maximum repay amount is capped at 100 instead of the actual 101, as seen here:
https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/Borrower.sol#L231-L232

After a successful liquidation, only 100 tokens will be repaid to the lender, meaning 1 token is missing. The pool assumes that this amount will be repaid eventually. However, this single token is still treated as an outstanding loan by the lender, who anticipates its eventual repayment by Alice, continuing to accrue interest on it. Yet neither Alice nor anyone else is obligated to repay this amount since Alice has already been liquidated. As a result, there's no incentive for anyone to repay this excess amount to the lender. Even though such small discrepancies might seem trivial, they compromise the integrity of the accounting logic. Considering that this scenario could recur across multiple users and the repaid amounts continue accruing interest, the accounting discrepancies could escalate into significant issues.

Impact

Since liquidators are limited to repaying only the stored balance and aren't required to update the pool's latest interest, this can lead to discrepancies in the lender's records. Consequently, some debt may remain indefinitely and will continue accruing interest. Therefore, I classify this as high.

Code Snippet

https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/Ledger.sol#L225-L232
https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/Borrower.sol#L527-L530
https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/Borrower.sol#L231-L232

Tool used

Manual Review

Recommendation

Use borrowBalance inside the lender not the stored balance such that the liquidators are forced to repay the entire amount regardless of that's incentivized or not

Duplicate of #41

[sherlock-admin2]

1 comment(s) were left on this issue during the judging contest.

MohammedRizwan commented:

valid