LendingPool assumes 1 CRVUSD == 1 USD when computing the health factor, leading to risk of unjustified liquidations.
Summary
calculateHealthFactor function in the LendingPool contract is defined as follows:
Indeed, getUserCollateralValue function returns the value of collaterals of a user in token unit (probably USDC or USDT but we don't have this information), provided by an oracle.
On the other hand, getUserDebt returns the amount of CRVUSD the user owes to the protocol.
This generates an issue when calculating the health ratio:
if CRVUSD is worth less than 1
token, heath ratio is lower than it should be (debt is considered higher than it really is)if CRVUSD is worth more than 1
token, health ratio is higher than it should be (debt is considered lower than it really is)
This means that borrowers could be liquidated because healthFactor < healthFactorLiquidationThreshold while the USD value of the debt is not too high, i.e., a health factor using token value of the debt wouldn't reach the liquidation threshold.
Impact
The impact of this vulnerability is high as it leads to potential incorrect computation of the health ratio, which may lead to unjustified liquidation. Protocol should not assume that 1 reserve asset = 1 token (probably USDC or USDT)
Tools Used
Manual review
Recommendations
Make sure to get the price of the collateral in USD, the price of the reserve asset in USD, both using an oracle, and then compute the health factor.
Lead Judging Commences
Protocol assumes 1 CRVUSD = 1 USD without using a price oracle, risking incorrect liquidations or other inacurate accounting if the stablecoin depegs
Protocol assumes 1 CRVUSD = 1 USD without using a price oracle, risking incorrect liquidations or other inacurate accounting if the stablecoin depegs
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.