Full Report
In DeFi, there are many lending and borrowing platforms. Users on these platforms can either lend tokens to receive interest or borrow tokens to conduct other activities. Naturally, the borrowers need to provide collateral to take out these loans. If the borrower doesn't make the repayment schedule or the collateral drops below a certain price threshold, then the load is liquidated. This allows other players to payback the loans assets. In exchange, they get a discount on the collateral that the user provided. The original user keeps the assets in this case. The first vulnerability is Liquidation Before Default. The liquidation process allows for a liquidator to make money by purchasing the collateral at a discount. If it's possible to force this early, then money can be stolen. In the first example case, there is a function to return whether a payment is on time or not. If they are overdue, then a user can liquidate the loan. If the loans first payment hasn't been made, then the value is 0, which results in it being liquidatable. Another case allows for the loan parameters to be changed after the loan has been given. Another was a lack of an updated variable leads to instantly written off loan. The next bug is borrower can't be liquidated. If a borrower can devise a loan offer that results in the collateral not being able to be liquidated, this creates a major problem. The AddressSet type will override existing values. So, if an attacker has a loan they could potentially override their collateral with 0, making it impossible to get any collateral out. Another case is providing a malicious oracle. If it's possible to keep the collateral and keep the borrowed funds, the whole system falls apart. In the example, a user can take out multiple loans. When they close out a non-existent loan, it will subtract from the counter without actually doing anything. Hence, a user can take out a large loan, subtract the loan counter and keep the collateral. Some of the other examples are logic flaws that allow for the code to perform unintended executions. The next two findings are related to access controls: repayments paused while liquidations enabled and Collateral Pause Stops Existing Repayment & Liquidation. It's common for smart contracts to be pausable in the event of a vulnerability or market crash. However, should everything be pausible? Depending on the case, it can have problems. For instance, if repayment is blocked then the crash of a cryptocurrency asset being used as collateral could drastically effect the protocol. Additionally, if repayments are not allowed but liquidations are, then it's not fair since the proper payments cannot be made on the funds. A few more... if is a liquidator paying back the collateral for the loaner but the amount is insufficient. And, infinite loan rollover with the borrower continually getting an extension on the loan without the lender being able to get it back. There are many more ways that loans can go wrong. denial of service and several other financial related issues. Overall, a very interesting post on loans related issues with good links to the previous findings.
Analysis Summary
Based on the provided description of DeFi lending vulnerabilities, here is a summarized technical report.
*Note: As the source material describes general vulnerability patterns and findings from various audits/reports rather than a single CVE-trackable software release, typical enterprise identifiers (like specific CVE IDs) are replaced with specific DeFi technical classifications where applicable.*
---
# Vulnerability: Logic Flaws in DeFi Lending & Liquidation Mechanisms
## CVE Details
- **CVE ID**: N/A (Smart Contract Logic Errors)
- **CVSS Score**: 9.0 - 10.0 (Critical - depending on TVL at risk)
- **CWE**: CWE-682 (Incorrect Calculation), CWE-841 (Improper Enforcement of Behavioral Workflow)
## Affected Systems
- **Products**: Decentralized Finance (DeFi) Lending Protocols.
- **Versions**: Various Solidity-based smart contracts (e.g., protocols utilizing `AddressSet` or those with pausable repayment modules).
- **Configurations**: Protocols incorporating liquidation discounts, third-party or user-provided oracles, and administrative "pause" functionality.
## Vulnerability Description
The research highlights several distinct architectural and logic flaws within lending protocols:
1. **Premature Liquidation (Liquidation Before Default)**:
* **Timestamp/State Logic**: A flaw where the "on-time" check defaults to 0 for new loans, triggering an immediate "overdue" state before the first payment window closes.
* **Parameter Manipulation**: Post-loan modification of terms allows attackers or admins to force a default state.
2. **Liquidation Circumvention (Unliquidatable Debt)**:
* **AddressSet Overwriting**: Data structures that allow a user to overwrite their collateral address with a null value (`0x0`), preventing the protocol from retrieving or liquidating the asset.
* **Oracle Manipulation**: Using malicious or stale oracles to report collateral values that prevent the liquidation threshold from being triggered.
3. **Accounting Discrepancies**:
* **Non-existent Loan Closure**: A logic error where closing a non-existent loan decrements a global counter. This allows a user to "mask" active debt, keeping both borrowed funds and collateral.
4. **Improper Access/Pause Controls**:
* **Asymmetric Pausing**: Allowing liquidations to remain active while pausing repayments, creating a "forced default" scenario where users cannot defend their positions during market volatility.
## Exploitation
- **Status**: Multiple findings confirmed via audit reports; PoCs exist for specific protocol forks.
- **Complexity**: Medium
- **Attack Vector**: Network (Smart Contract Interaction)
## Impact
- **Confidentiality**: Low
- **Integrity**: Critical (Theft of funds, manipulation of debt state)
- **Availability**: High (Denial of Service on repayments/liquidations)
## Remediation
### Patches
- **State Validation**: Implement checks to ensure `time_to_payment > 0` before allowing liquidation calls.
- **Immutable Parameters**: Ensure loan terms (interest, duration) are locked or stored in a way that cannot be modified after a loan is initialized.
- **Secure Data Structures**: Use OpenZeppelin’s EnumerableSet or similar libraries that prevent key overwriting or accidental deletion of collateral records.
### Workarounds
- **Symmetric Pausing**: If the protocol is paused, both liquidations and repayments must be frozen simultaneously to protect users.
- **Oracle Guardrails**: Implement "Circuit Breakers" that prevent liquidation if price feeds deviate too sharply or become stale.
## Detection
- **Indicators of Compromise**:
- Rapid sequences of `takeLoan()` followed by `closeLoan()` with invalid IDs.
- Contract calls to liquidation functions where `loan_age < grace_period`.
- **Detection Methods**: Monitoring tools like Forta or Tenderly to alert on `emergencyPause` events or unintended `AddressSet` updates.
## References
- **Audit Findings**: hxxps[://]github[.]com/code-423n4/2022-04-backd-findings
- **Vulnerability Research**: hxxps[://]vercel[.]link/security-checkpoint
- **General DeFi Security**: hxxps[://]dasp[.]co/ (Decentralized Application Security Project)
---
**Security Specialist Note:** These vulnerabilities often arise from a lack of "Proper State Transition" testing. In DeFi, the interaction between time, price, and collateral value must be handled as an atomic state machine to prevent race conditions or logic bypasses.