mstpr-brainbot - Liquidity owner can burn the liquidity position to hurt borrower

[sherlock-admin2]

mstpr-brainbot

medium

Liquidity owner can burn the liquidity position to hurt borrower

Summary

Malicious liquidity position owner can harm borrower by burning the liquidity hence, the borrower or any liquidatior can not repay and the borrowers collateral + liquidation bonus + 1 day collateral rate is lost forever.

Vulnerability Detail

Uniswapv3 positions can be controlled by the original owner and the approval address. In this case approval address is the wagmi contract and the owner is owner of the liquidity position. So owner can remove-burn liquidity.

Assuming that Alice has a position and she has borrowed 10 WETH. She obtained this loan from Bob, who happens to be a large whale. However, Bob, seemingly for trolling purposes, decides to burn the liquidity position. Consequently, Alice becomes unable to repay her loan, and as a result, her borrowed collateral, the liquidation bonus, and the collateral she has accrued at the 1-day daily rate are now stuck. Alice has effectively lost that entire amount.

In theory, it appears that Bob has incurred a greater loss than Alice. Nevertheless, this scenario underscores the fact that Alice is a retail user with limited resources, while Bob possesses a significant amount of funds. Thus, Bob may not be concerned about losing 10 WETH, especially if it means causing harm to Alice.

Impact

Does not seem logically to do unless the liquidity position owner and the borrower has some sort of beef I guess but it is very easy to do so I will classify this as medium.

Code Snippet

https://github.com/sherlock-audit/2023-10-real-wagmi/blob/main/wagmi-leverage/contracts/LiquidityBorrowingManager.sol#L650-L661

https://github.com/sherlock-audit/2023-10-real-wagmi/blob/main/wagmi-leverage/contracts/abstract/LiquidityManager.sol#L394-L426

Tool used

Manual Review

Recommendation

Duplicate of #78