Light
DarkOne Bug Per Day
One H/M every day from top Wardens
Join over 1065 wardens!
Receive the email at any hour!
Small loans will never be liquidated, generating bad debt for lenders
mediumLines of code
https://github.com/code-423n4/2024-04-lavarage/blob/9e8295b542fb71b2ba9b4693e25619585266d19e/libs/smart-contracts/programs/lavarage/src/processor/swap.rs#L12 https://github.com/code-423n4/2024-04-lavarage/blob/9e8295b542fb71b2ba9b4693e25619585266d19e/libs/smart-contracts/programs/lavarage/src/processor/liquidate.rs#L19
Vulnerability details
Impact
There isn't a minimum position requirement for borrowers when they start a loan.
Malicious borrowers might abuse this to create a large amount of small loans that will be unprofitable to liquidate. This results in a total loss of funds for lenders as they will get only bad debt.
Proof of Concept
- A malicious borrower starts multiple loans with extremely low amounts of funds borrowed in each one, in a single transaction (by chaining
borrow - add_collateral - borrow - ...with different positions on the same pool). They get the same amount of funds as they would have got with a single big loan AND they pay just for a single transaction. - When the LTV goes > 90% the lender should liquidate each of these loans, but it will be unprofitable to do so as they NEED to execute and pay for multiple transactions.
- The lender will never liquidate all the loans (as it's unprofitable) so they only get bad debt.
Tools Used
Manual review
Recommended Mitigation Steps
Consider implementing a minimum amount to start a loan.
Assessed type
Invalid Validation