In the contract MErc20DelegateFixer.sol
, the function fixUser()
which allows admin/governor to fix a user via transfering all it tokens to liquidator and repay its bad debt . Note , admin will call this function only when admin realises that the user have enough tokens , which would be able to repay the principle amount of debt . Once admin calls this function , any mallicious user will wait this call to happen and front run it with transfering all its token somewhere else and left by with minimal or 1 token , since there is no check which ensures accountTokens[user] >= principal
, The mallicious user will able to repay all its debt with almost no amount of token .
In the function below
Suppose Alice is a Mallicious user with bad debt such that,
principal = borrowBalanceStored(Alice) = 1000
&
accountTokens[Alice] = 1200
Admin realises that the bad debt of Alice can be paid since he hold more token then debt , so admin calls fixUser(liquidator, Alice)
Since Allice is a Mallicious user, it will wait for admin to call fixUser(liquidator,Alice) , once user calls this function , Alice will front run this call
by transferring most of its token lets say 1199 to a different account or somewhere else ,
such that remaining accountTokens[Alice] = 1
;
thus liquidated = 1;
since liquidated !=0
, The function passes through with
accountBorrows[Alice].principal = 0;
High
Manual Review
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.