SmartVault: Liquidations not possible when transfer fails
Summary
SmartVault: Liquidations not possible when transfer fails
Vulnerability Details
liquidate() calls both liquidateNative() and liquidateERC20() to liquidate any accepted token in the smart vault.
We are interested in liquidateERC20() here, it loops through accepted tokens array and transfer tokens to the protocol.
When one of those transfers fails, the whole liquidation process therefore fails. There are multiple reasons why a transfer could fail: 1.) Blocked addresses (e.g., USDC) 2.) The balance of the asset is 0, but it is still listed under asset (e.g: vault owner never deposited this token so it's balance is zero or owner deposited the token and swaped it for another one after the deposit). Some tokens revert for zero value transfers (see https://github.com/d-xo/weird-erc20) 3.) Paused tokens 4.) Upgradeable tokens that changed the implementation.
In the case of 2) when owner never deposited the token and it's balance is 0 systematically all liquidations will fail, this is the most dangerous case because nothing garantee that vault owners will deposit some amounts of all accepted collateral into the vault
Impact
See above, a smart vault cannot be liquidated. In certain conditions, this might even be triggerable by the user. For instance, a user could try to get on the USDC blacklist to avoid liquidations.
Tools Used
Manual review, VsCode
Recommendations
Catch reversions for the transfer and skip this asset (but it could be kept in the assets list to allow retries later on).
Lead Judging Commences
blacklist-dos
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.