top of page

CRIT - Compound - Liquidators may seize assets not held as collateral - Closed as known issue

Target


Bug Description

When borrower's liquidation becomes negative, liquidators should only be able to seize assets held as collateral (provide liquidity), i.e. cTokens where user called enterMarkets(). However at no point is it validated that Comptroller's market[cToken].accountMembership == true. Therefore all user's assets are at risk of liquidation, and exitMarket has no effect except for reducing user's liquidity (i.e. does not make the asset safe).


Impact

Users may be liquidated out of assets they were not aware that are at risk. Therefore, if they have negative liquidity, assets could be taken without their permission.


Risk Breakdown

Difficulty to Exploit: Easy Weakness: Insufficient validation of input


Recommendation

Add the following check in seizeAllowed():

if (markets[cTokenCollateral].accountMembership[borrower] == false) { return uint(Error.MARKET_NOT_ENTERED); }


References

Compound Docs / Compound Code AAVE's implementation of setUserUseReserveAsCollateral() https://docs.aave.com/developers/v/1.0/developing-on-aave/the-protocol/lendingpool#setuserusereserveascollateral


Proof of Concept

  1. User calls mint() for 2 tokens (e.g. DAI, WBTC)

  2. User calls enterMarkets() for WBTC - positive liquidity

  3. User calls borrow(max_allowed) of some token (e.g. cUNI)

  4. WBTC's value drops by 30% / cUNI's value rises by 30% - user is in negative liquidity

  5. Liquidator calls liquidateBorrow(user, repay, cDAI)

  6. Liquidator successfully seizes user's cDAI holdings.


0 comments

Recent Posts

See All

Comments


bottom of page