063.md

Orbiting Sangria Porpoise

Medium

Removal of closeFactorMantissa & maxClose constraints in deprecated markets allows attack vector to worsen protocol's health

Summary

In a deprecated market, the closeFactorMantissa & maxClose constraints are not applied and the only check active is whether borrowBalance >= repayAmount. This allows the following attack vectors:

1. Malicious user partially liquidates a shortfall debt position just enough to push it into a badDebt position.

2. Malicious user partially liquidates a shortfall debt position just enough to leave behind dust amount of unhealthy debt which would be unprofitable for others to liquidate due to gas costs, specially on chains like Ethereum.

Description

Here are the flows:

Attack Vector 1 ( push into badDebt territory )

Setup:

• Bob has borrowed 40 ETH worth against collateral of 50 ETH worth. 85% LTV is allowed.
• Liquidation incentive is 12%.
• Price movement causes Bob borrow to be worth 45 ETH, making it eligible for liquidation by Alice.

1. IF closeFactorMantissa of 0.9e18 or 90% was applicable here, Alice would have at best:

   • Liquidated a max 90% * 45 = 40.5 ETH of debt.
   • Received 12% * 40.5 = 4.86 ETH of liquidation incentive.
   • Remaining debt = 45 - 40.5 = 4.5 ETH and remaining collateral = 50 - 40.5 - 4.86 = 4.64 ETH.
   • New LTV = 100 * 4.5 / 4.64 = 96.98%.
   • Also, the remaining debt is less than the minBorrowAmountAllowPartialLiquidation limit of 10 ETH which will force full liquidation for the next liquidation attempt. ( There is a different bug which won't allow the next liquidation attempt but that is unrelated to the current issue ).
   • No attack vector here.

2. However closeFactorMantissa constraint is not applicable in a deprecated market. So Alice does this:

   • Liquidates 44 ETH of debt.
   • Receives 12% * 44 = 5.28 ETH of liquidation incentive.
   • Remaining debt = 45 - 44 = 1 ETH and remaining collateral = 50 - 44 - 5.28 = 0.72 ETH.
   • New LTV = 100 * 1 / 0.72 = 138.89%.
   • We moved into badDebt territory. No incentive for liquidators now to liquidate this.

Attack Vector 2 ( leave behind unhealthy dust amount of debt )

Setup:

• Bob has borrowed 9 ETH worth against collateral of 11 ETH worth. 85% LTV is allowed.
• Liquidation incentive is 1%.
• Price movement causes Bob borrow to be worth 10.8890888899 ETH, and collateral to be worth 10.998 ETH making it eligible for liquidation by Alice.

1. Alice liquidates 10.8888889 ETH worth of debt. She receives 10.8888889 * 1.01 = 10.997777789 ETH worth of collateral.
2. Remaining debt = 10.998 - 10.8888889 = 0.000199989900000475 ETH and remaining collateral = 10.998 - 10.997777789 = 0.000222211000000527 ETH.
3. New LTV = 100 * 0.000199989900000475 / 0.000222211000000527 = 90%.

The remaining collateral is just too low to be profitable after gas costs.

Impact

In the end these unhealthy low value debts & bad debts will never get liquidated, worsening protocol health. The protocol's goal of clearing a deprecated market is also not achieved.

Mitigation

Add these 2 checks:

1. If upon partial liquidation, leftover debt is in the badDebt territory, then it should revert and only allow full liquidation albeit with a reduced liquidation incentive.
2. If upon partial liquidation, leftover debt is less than minLeftoverDebtAllowed (some small value decided by the protocol) then it should revert.