Glamorous Admiral Sloth - validateLiquidationCall is wrongly implemented.

[sherlock-admin2]

Glamorous Admiral Sloth

Medium

validateLiquidationCall is wrongly implemented.

Summary

in the validateLiquidationCall we are not verifying the lower bound of the MINIMUM_HEALTH_FACTOR_LIQUIDATION_THRESHOLD as at the lower bound of the params.healthFactor it should also work.

Root Cause

https://github.com/sherlock-audit/2025-01-aave-v3-3/blob/main/aave-v3-origin/src/contracts/protocol/libraries/logic/ValidationLogic.sol#L244

require(

@>> vars.healthFactor > HEALTH_FACTOR_LIQUIDATION_THRESHOLD,
Errors.HEALTH_FACTOR_LOWER_THAN_LIQUIDATION_THRESHOLD
);

https://github.com/sherlock-audit/2025-01-aave-v3-3/blob/main/aave-v3-origin/src/contracts/protocol/libraries/logic/ValidationLogic.sol#L403
https://github.com/sherlock-audit/2025-01-aave-v3-3/blob/main/aave-v3-origin/src/contracts/protocol/libraries/logic/ValidationLogic.sol#L415
function validateLiquidationCall(
DataTypes.UserConfigurationMap storage userConfig,
DataTypes.ReserveData storage collateralReserve,
DataTypes.ReserveData storage debtReserve,
DataTypes.ValidateLiquidationCallParams memory params
) internal view {
ValidateLiquidationCallLocalVars memory vars;

(vars.collateralReserveActive, , , vars.collateralReservePaused) = collateralReserve
  .configuration
  .getFlags();

(vars.principalReserveActive, , , vars.principalReservePaused) = params
  .debtReserveCache
  .reserveConfiguration
  .getFlags();

require(vars.collateralReserveActive && vars.principalReserveActive, Errors.RESERVE_INACTIVE);
require(!vars.collateralReservePaused && !vars.principalReservePaused, Errors.RESERVE_PAUSED);

require(
  params.priceOracleSentinel == address(0) ||

@>> params.healthFactor < MINIMUM_HEALTH_FACTOR_LIQUIDATION_THRESHOLD ||
IPriceOracleSentinel(params.priceOracleSentinel).isLiquidationAllowed(),
Errors.PRICE_ORACLE_SENTINEL_CHECK_FAILED
);

require(
collateralReserve.liquidationGracePeriodUntil < uint40(block.timestamp) &&
debtReserve.liquidationGracePeriodUntil < uint40(block.timestamp),
Errors.LIQUIDATION_GRACE_SENTINEL_CHECK_FAILED
);

require(

@>> params.healthFactor < HEALTH_FACTOR_LIQUIDATION_THRESHOLD,
Errors.HEALTH_FACTOR_NOT_BELOW_THRESHOLD
);

Internal Pre-conditions

No response

External Pre-conditions

No response

Attack Path

No response

Impact

No response

PoC

No response

Mitigation

params.healthFactor <= MINIMUM_HEALTH_FACTOR_LIQUIDATION_THRESHOLD