Target
Bug Description
When borrower's liquidation becomes negative, liquidators should only be able to seize assets held as collateral (provide liquidity), i.e. cTokens where user called enterMarkets(). However at no point is it validated that Comptroller's market[cToken].accountMembership == true. Therefore all user's assets are at risk of liquidation, and exitMarket has no effect except for reducing user's liquidity (i.e. does not make the asset safe).
Impact
Users may be liquidated out of assets they were not aware that are at risk. Therefore, if they have negative liquidity, assets could be taken without their permission.
Risk Breakdown
Difficulty to Exploit: Easy Weakness: Insufficient validation of input
Recommendation
Add the following check in seizeAllowed():
if (markets[cTokenCollateral].accountMembership[borrower] == false) { return uint(Error.MARKET_NOT_ENTERED); }
References
Compound Docs / Compound Code AAVE's implementation of setUserUseReserveAsCollateral() https://docs.aave.com/developers/v/1.0/developing-on-aave/the-protocol/lendingpool#setuserusereserveascollateral
Proof of Concept
User calls mint() for 2 tokens (e.g. DAI, WBTC)
User calls enterMarkets() for WBTC - positive liquidity
User calls borrow(max_allowed) of some token (e.g. cUNI)
WBTC's value drops by 30% / cUNI's value rises by 30% - user is in negative liquidity
Liquidator calls liquidateBorrow(user, repay, cDAI)
Liquidator successfully seizes user's cDAI holdings.
Comments