0x52 - Pending CRV rewards are not accounted for and can cause unfair liquidations
Opened this issue · 2 comments
0x52
high
Pending CRV rewards are not accounted for and can cause unfair liquidations
Summary
pendingRewards are factored into the health of a position so that the position collateral is fairly assessed. However WCurveGauge#pendingRewards doesn't return the proper reward tokens/amounts meaning that positions aren't valued correctly and users can be unfairly liquidated.
Vulnerability Detail
(address[] memory tokens, uint256[] memory rewards) = IERC20Wrapper(
pos.collToken
).pendingRewards(pos.collId, pos.collateralSize);
for (uint256 i; i < tokens.length; i++) {
rewardsValue += oracle.getTokenValue(tokens[i], rewards[i]);
}
When BlueBerryBank is valuing a position it also values the pending rewards since they also have value.
function pendingRewards(
uint256 tokenId,
uint256 amount
)
public
view
override
returns (address[] memory tokens, uint256[] memory rewards)
{}
Above we see that WCurveGauge#pendingRewards returns empty arrays when called. This means that pending rewards are not factored in correctly and users can be liquidated when even when they should be safe.
Impact
User is liquidated when they shouldn't be
Code Snippet
Tool used
Manual Review
Recommendation
Change WCurveGauge#pendingRewards to correctly return the pending rewards
Linked PR does not address this issue. Though the WCurveGuage contract was not present in the second contest so it is presumably dropped. Waiting for sponsor comment.