Skip to content
This repository has been archived by the owner on Mar 3, 2024. It is now read-only.

0xSurena - The liquidation process cannot get done due to insufficient balance #150

Closed
sherlock-admin opened this issue Aug 29, 2023 · 0 comments
Closed

0xSurena - The liquidation process cannot get done due to insufficient balance #150

sherlock-admin opened this issue Aug 29, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Aug 29, 2023
edited by sherlock-admin2
Loading

0xSurena

high

The liquidation process cannot get done due to insufficient balance

Summary

Call to the liquidateVaultsForToken, in order to conducts the liquidation process for a specific token across a list of vaults, will get reverted.

Vulnerability Detail

Once rewards are claimed, they are sent to the Liquidator Row contract for subsequent liquidation. LiquidationRow.sol is the smart contract responsible for liquidating reward tokens into another asset, such as WETH. this contract calls the Swapper contract to swap the token against the target token (which in turn calls an external aggregator).

The _performLiquidation is the method responsible for running the swap trought AsyncSwapper.sol contract.

In the BaseAsyncSwapper.sol.Swap function, the contract will save balance for sell token as sellTokenBalance and compare value of sellTokenBalance to the swapParams.sellAmount. If there is not enough balance to cover the swap process, the transaction will get reverted and the liquidation process will not be done.

        IERC20 sellToken = IERC20(swapParams.sellTokenAddress);
        IERC20 buyToken = IERC20(swapParams.buyTokenAddress);
        uint256 sellTokenBalance = sellToken.balanceOf(address(this));
        if (sellTokenBalance < swapParams.sellAmount) {
            revert InsufficientBalance(sellTokenBalance, swapParams.sellAmount);
        }

If you see the LiquidationRow.sol contract, there is not Approve to the AsyncSwapper.sol contract and there is no transfer from LiquidationRow.sol contract to the AsyncSwapper.sol contract. So always sellTokenBalance is lower than swapParams.sellAmount and the liquidation process cannot get done.

Impact

The liquidation process cannot get done and rewards from vault.collectRewards() will get stuck in the LiquidationRow.sol contract.

Code Snippet

https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/liquidation/LiquidationRow.sol#L167
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/liquidation/BaseAsyncSwapper.sol#L19

Tool used

Manual Review

Recommendation

Make sure that the AsyncSwapper.sol contract has enough balance to perform the sellToken swap. Transfer swapParams.sellAmount to the AsyncSwapper.sol contract, before making the call to IAsyncSwapper(asyncSwapper).swap.

Duplicate of #205
@github-actions github-actions bot added High A valid High severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Sep 11, 2023
@sherlock-admin2 sherlock-admin2 changed the title Blunt Inky Yeti - The liquidation process cannot get done due to insufficient balance 0xSurena - The liquidation process cannot get done due to insufficient balance Oct 3, 2023
@sherlock-admin2 sherlock-admin2 added the Reward A payout will be made for this issue label Oct 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin @sherlock-admin2