Skip to content

Latest commit

 

History

History
64 lines (43 loc) · 1.88 KB

101.md

File metadata and controls

64 lines (43 loc) · 1.88 KB

Rough Hotpink Wallaby

High

Incorrect parameter in Pool::eliminateReserveDeficit function

Summary

An incorrect parameter in the Pool::eliminateReserveDeficit function leads to a failed verification in LiquidationLogic.executeEliminateDeficit.

Root Cause

In Pool.sol#L847, the _usersConfig parameter uses msg.sender, which refers to an umbrella contract address.

In contrast, the verification logic in LiquidationLogic.executeEliminateDeficit checks _usersConfig as follows:

function executeEliminateDeficit(
    mapping(address => DataTypes.ReserveData) storage reservesData,
    DataTypes.UserConfigurationMap storage userConfig,
    DataTypes.ExecuteEliminateDeficitParams memory params
) external {
    require(!userConfig.isBorrowingAny(), Errors.USER_CANNOT_HAVE_DEBT);

    bool isCollateral = userConfig.isUsingAsCollateral(reserve.id);
    if (isCollateral && balanceWriteOff == userBalance) {
        userConfig.setUsingAsCollateral(reserve.id, false);
        emit ReserveUsedAsCollateralDisabled(params.asset, msg.sender);
    }
}

As a result, the verification checks the address of the umbrella contract instead of the user's address.

Internal Pre-conditions

No response

External Pre-conditions

No response

Attack Path

No response

Impact

The verification in LiquidationLogic.executeEliminateDeficit results in incorrect behavior.

PoC

No response

Mitigation

function eliminateReserveDeficit(address user, address asset, uint256 amount) external override onlyUmbrella {
    LiquidationLogic.executeEliminateDeficit(
      _reserves,
+   _usersConfig[user],
      DataTypes.ExecuteEliminateDeficitParams({asset: asset, amount: amount})
    );
  }