Giters

sherlock-audit / 2023-02-blueberry-judging

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

cducrest-brainbot - Fail to accrue interests on multiple token positions

github-actions opened this issue · comments

commented

cducrest-brainbot

high

Fail to accrue interests on multiple token positions

Summary

In BlueBerryBank.sol the functions borrow, repay, lend, or withdrawLend call poke(token) to trigger interest accrual on concerned token, but fail to do so for other token debts of the concerned position. This could lead to wrong calculation of position's debt and whether the position is liquidatable.

Vulnerability Detail

Whether a position is liquidatable or not is checked at the end of the execute function, the execution should revert if the position is liquidatable.

The calculation of whether a position is liquidatable takes into account all the different debt tokens within the position. However, the debt accrual has been triggered only for one of these tokens, the one concerned by the executed action. For other tokens, the value of bank.totalDebt will be lower than what it should be. This results in the debt value of the position being lower than what it should be and a position seen as not liquidatable while it should be liquidatable.

Impact

Users may be able to operate on their position leading them in a virtually liquidatable state while not reverting as interests were not applied. This will worsen the debt situation of the bank and lead to overall more liquidatable positions.

Code Snippet

execute checking isLiquidatable without triggering interests:

https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/BlueBerryBank.sol#L607

actions only poke one token (here for borrow):

https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/BlueBerryBank.sol#L709-L715

bank.totalDebt is used to calculate a position's debt while looping over every tokens:

https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/BlueBerryBank.sol#L451-L475

The position's debt is used to calculate the risk:

https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/BlueBerryBank.sol#L477-L495

The risk is used to calculate whether a debt is liquidatable:

https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/BlueBerryBank.sol#L497-L505

Tool used

Manual Review

Recommendation

Review how token interests are triggered. Probably need to accrue interests on every debt token of a position at the beginning of execute.