Revert Lend - AMOW's results

Lines of code

https://github.com/code-423n4/2024-03-revert-lend/blob/main/src/V3Vault.sol#L696-L697

Vulnerability details

Impact

Users can avoid being liquidated.

Proof of Concept

When calling V3Vault.liquidate liquidator manually inputs LiquidateParams which is further checked against debtShares of the liquitee and reverts DebtChanged in case they don't match.

    function liquidate(LiquidateParams calldata params) external override returns (uint256 amount0, uint256 amount1) {
        // liquidation is not allowed during transformer mode
        if (transformedTokenId > 0) {
            revert TransformNotAllowed();
        }

        LiquidateState memory state;

        (state.newDebtExchangeRateX96, state.newLendExchangeRateX96) = _updateGlobalInterest();

        uint256 debtShares = loans[params.tokenId].debtShares;
        if (debtShares != params.debtShares) { 
            revert DebtChanged();
        }

Unhealthy borrowers can anticipate and front-run liquidations by repaying 1 wei (or minAmount) worth of shares, thus avoid being liquidated.

Furthermore, liquidation profitability is directly proportional to the extent of unhealthiness of a position. Malicious users can call V3Vault.repay (callable by anyone) on slightly unhealthy positions of honest users to avoid them being liquidated by other liquidators thus making the position more unhealthy and eligible for higher liquidation rewards (and lower return to honest user when _cleanupLoan is called)

Tools Used

Manual review

Recommended Mitigation Steps

change the check to:

       if (debtShares > params.debtShares) { 
            revert DebtChanged();
        }

Assessed type

Context