Zaros Part 1
Zaros
DeFiFoundry
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

configureCollateralLiquidationPriority() doesn’t ensure loan to value is ordered

SBSecurity

Summary

When configureCollateralLiquidationPriority() is called, it does not ensure that the passed assets are with loan-to-value in ascending order.

Vulnerability Details

Assets in liquidation priority should be ordered by loan-to-value parameter, starting with the smallest. But this is not the case as there is no check for this when adding them.

function configureCollateralLiquidationPriority(Data storage self, address[] memory collateralTypes) internal {
uint256 cachedCollateralTypesCached = collateralTypes.length;
for (uint256 i; i < cachedCollateralTypesCached; i++) {
if (collateralTypes[i] == address(0)) {
revert Errors.ZeroInput("collateralType");
}
if (!self.collateralLiquidationPriority.add(collateralTypes[i])) {
revert Errors.MarginCollateralAlreadyInPriority(collateralTypes[i]);
}
}
}

Impact

Wrong asset order will result in the wrong tokens being sent when the position is liquidated.

Tools Used

Manual Review

Recommendations

When configureCollateralLiquidationPriority() is called, there should be a check to see if the ltv of a collateral from GlobalConfigurationBranch is less than the next one in the collateralTypes array, if not first sort them and then configure them.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.