talfao - A burnt position will prevent repayment and liquidation

[sherlock-admin2]

talfao

medium

A burnt position will prevent repayment and liquidation

Summary

A Burnt loan(position) can lead to a scenario where repayment or liquidation is impossible due to the repay(...) function not checking if the loan position is still active.

Vulnerability Detail

The vulnerability is straightforward. To explain this issue in detail, consider the following steps:

1. Bob borrows a certain amount of loans.
2. The lender, who is the owner of an active loan position, is compromised or intentionally burns their position. This can be accomplished by calling the Uniswap v3 position manager with the following code:

await nonfungiblePositionManager.connect(alice).burn(nftpos[3].tokenId);

3. Now, when Alice attempts to make a repayment, it becomes impossible because the function will revert, indicating that the tokenID does not exist. This occurs when attempting to restore liquidity to the burned position.

As a result, only an emergency "liquidation" is possible for the other loan owners. The entire borrowing cannot be repaid or liquidated anymore.

Proof of Concept

To demonstrate this issue, a Proof of Concept was executed as follows:

it("DOS of repayment if tokenID is burnt", async () => {
        let amountWBTC = ethers.utils.parseUnits("0.05", 8); //token0
        const deadline = (await time.latest()) + 60;
        const minLeverageDesired = 50;
        const maxCollateralWBTC = amountWBTC.div(minLeverageDesired);

        const loans = [
            {
                liquidity: nftpos[3].liquidity,
                tokenId: nftpos[3].tokenId,
            },
        ];
        console.log(await nonfungiblePositionManager.ownerOf(nftpos[3].tokenId)); // alice address
  
       
        const swapParams: ApproveSwapAndPay.SwapParamsStruct = {
            swapTarget: constants.AddressZero,
            swapAmountInDataIndex: 0,
            maxGasForCall: 0,
            swapData: swapData,
        };
    
      
        let params = {
            internalSwapPoolfee: 500,
            saleToken: WETH_ADDRESS,
            holdToken: WBTC_ADDRESS,
            minHoldTokenOut: amountWBTC,
            maxCollateral: maxCollateralWBTC,
            externalSwap: swapParams,
            loans: loans,
        };
        await borrowingManager.connect(bob).borrow(params, deadline);

        const borrowingKey = await borrowingManager.userBorrowingKeys(bob.address, 0);
        const swapParamsRep: ApproveSwapAndPay.SwapParamsStruct = {
            swapTarget: constants.AddressZero,
            swapAmountInDataIndex: 0,
            maxGasForCall: 0,
            swapData: swapData,
        };

        let paramsRep: LiquidityBorrowingManager.RepayParamsStruct = {
            isEmergency: false,
            internalSwapPoolfee: 500,
            externalSwap: swapParamsRep,
            borrowingKey: borrowingKey,
            swapSlippageBP1000: 990, //<=slippage simulated
        };
        await nonfungiblePositionManager.connect(alice).burn(nftpos[3].tokenId); //@audit simulation of hacked lender
        console.log("It was burnt");
        await expect(borrowingManager.connect(bob).repay(paramsRep, deadline)).to.be.reverted// 'Invalid token ID'
    });

Impact

Disabled repayment for that active borrow of the user. The liquidation bonus is not accessible anymore as the whole liquidation is prevented.

Code Snippet

Here, it will revert as the tokenId does not exist anymore.
"Link to Code"

Tool used

Manual Review

Recommendation

To mitigate this vulnerability, it is recommended to implement a check in the _restoreLiquidity(...) function to verify whether the position exists. If it does not exist, necessary actions should be taken to leave the borrowed assets as profit. The following pseudo code outlines this recommendation.

// Pseudo code
function _restoreLiquidity(...){
 RestoreLiquidityCache memory cache;
        for (uint256 i; i < loans.length; ) {
+ if (!success =underlyingPositionManager.call(ownerOf(loan.tokenID)){
 // Do necessary changes
continue;
}
	...
}

Duplicate of #78