Obedient Lava Monkey
Medium
Lack of debt ceiling validation in validateUseAsCollateral will cause unchecked over-leveraging for users in isolated mode
The absence of a debt ceiling check in validateUseAsCollateral will allow users to exceed the maximum debt limit in isolated mode, bypassing protocol safeguards, as the function does not enforce the ceiling constraint.
In ValidationLogic.sol, the validateUseAsCollateral function determines if a reserve can be used as collateral but omits a critical debt ceiling validation for isolated mode. Specifically, the function lacks a check to ensure:
reserve.totalDebt <= reserveConfig.getDebtCeiling()This oversight allows collateralization even if the total debt of the reserve has already surpassed its configured debt ceiling, breaking isolation mode guarantees and risking over-leveraging. The missing validation leads to unchecked excessive borrowing against reserves, undermining protocol safety.
- A reserve is configured with a debt ceiling in isolation mode.
- A user supplies collateral for that reserve, triggering
validateUseAsCollateral. - The reserve’s total debt exceeds its debt ceiling.
- Debt ceiling configurations are enabled for the reserve.
- The oracle provides correct asset prices for debt and collateral assets.
- A user supplies collateral to a reserve in isolation mode.
- Despite the reserve’s total debt exceeding its debt ceiling, the protocol allows the collateral to be used without restriction.
- The user borrows excessively, risking insolvency or liquidation failures.
The protocol becomes exposed to excessive debt in isolated reserves, risking insolvency or liquidity imbalances. Other users may face reduced liquidity or borrowing opportunities due to debt cap breaches.
Add a debt ceiling check in validateUseAsCollateral to ensure that the reserve’s total debt remains within the configured limit.