Skip to content
This repository has been archived by the owner on Dec 17, 2023. It is now read-only.

0x52 - _calculateMaxBorrowCollateral calculates repay incorrectly and can lead to set token liquidation #254

Open
sherlock-admin opened this issue Jun 14, 2023 · 3 comments
Open

0x52 - _calculateMaxBorrowCollateral calculates repay incorrectly and can lead to set token liquidation #254

sherlock-admin opened this issue Jun 14, 2023 · 3 comments
Labels
High A valid High severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin
Copy link
Contributor

0x52

high

_calculateMaxBorrowCollateral calculates repay incorrectly and can lead to set token liquidation

Summary

When calculating the amount to repay, _calculateMaxBorrowCollateral incorrectly applies unutilizedLeveragePercentage when calculating netRepayLimit. The result is that if the borrowValue ever exceeds liquidationThreshold * (1 - unutilizedLeveragPercentage) then all attempts to repay will revert.

Vulnerability Detail

AaveLeverageStrategyExtension.sol#L1110-L1118

    } else {
        uint256 netRepayLimit = _actionInfo.collateralValue
            .preciseMul(liquidationThresholdRaw.mul(10 ** 14))
            .preciseMul(PreciseUnitMath.preciseUnit().sub(execution.unutilizedLeveragePercentage));

        return _actionInfo.collateralBalance
            .preciseMul(netRepayLimit.sub(_actionInfo.borrowValue))
            .preciseDiv(netRepayLimit);
    }

When calculating netRepayLimit, _calculateMaxBorrowCollateral uses the liquidationThreshold adjusted by unutilizedLeveragePercentage. It then subtracts the borrow value from this limit. This is problematic because if the current borrowValue of the set token exceeds liquidationThreshold * (1 - unutilizedLeveragPercentage) then this line will revert making it impossible to make any kind of repayment. Once no repayment is possible the set token can't rebalance and will be liquidated.

Impact

Once the leverage exceeds a certain point the set token can no longer rebalance

Code Snippet

AaveLeverageStrategyExtension.sol#L1110-L1118

Tool used

Manual Review

Recommendation

Don't adjust the max value by unutilizedLeveragPercentage
@github-actions github-actions bot added the High A valid High severity issue label Jun 19, 2023
@pblivin0x
Copy link

The outlined issue and fix LGTM. We need to loosen the performed netRepayLimit check to avoid the case where we have high leverage and can't submit repayment (borrowValue > liquidationThreshold * (1 - unutilizedLeveragPercentage))

@ckoopmann ckoopmann added the Sponsor Confirmed The sponsor acknowledged this issue is valid label Jun 22, 2023
@ckoopmann ckoopmann mentioned this issue Jun 22, 2023
Merged
6 tasks
@ckoopmann ckoopmann added the Will Fix The sponsor confirmed this issue will be fixed label Jun 25, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Jun 27, 2023
@hildingr hildingr mentioned this issue Jun 29, 2023
Open
@ckoopmann
Copy link

ckoopmann commented Jul 4, 2023
edited
Loading

Fixed in the below PR by removing the unutilizedLeveragPercentage adjustment as suggested:
IndexCoop/index-coop-smart-contracts#142

@IAm0x52
Copy link
Collaborator

IAm0x52 commented Aug 1, 2023

Fix looks good. unutilizedLeveragePercentage is no longer used when calculating net repay

@sherlock-admin4 sherlock-admin4 mentioned this issue Oct 21, 2024
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
High A valid High severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ckoopmann @pblivin0x @sherlock-admin @IAm0x52