Zaros Part 1
Zaros
DeFiFoundry
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

configureCollateralLiquidationPriority() doesn’t ensure loan to value is ordered

SBSecurity

Summary

When configureCollateralLiquidationPriority() is called, it does not ensure that the passed assets are with loan-to-value in ascending order.

Vulnerability Details

Assets in liquidation priority should be ordered by loan-to-value parameter, starting with the smallest. But this is not the case as there is no check for this when adding them.

function configureCollateralLiquidationPriority(Data storage self, address[] memory collateralTypes) internal {
uint256 cachedCollateralTypesCached = collateralTypes.length;
for (uint256 i; i < cachedCollateralTypesCached; i++) {
if (collateralTypes[i] == address(0)) {
revert Errors.ZeroInput("collateralType");
}
if (!self.collateralLiquidationPriority.add(collateralTypes[i])) {
revert Errors.MarginCollateralAlreadyInPriority(collateralTypes[i]);
}
}
}

Impact

Wrong asset order will result in the wrong tokens being sent when the position is liquidated.

Tools Used

Manual Review

Recommendations

When configureCollateralLiquidationPriority() is called, there should be a check to see if the ltv of a collateral from GlobalConfigurationBranch is less than the next one in the collateralTypes array, if not first sort them and then configure them.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.