Compound

--> CRIT - Compound - Liquidators may seize assets not held as collateral - Closed as known issue top of page Search Target https://github.com/compound-finance/compound-protocol/pull/127 Bug Description When borrower's liquidation becomes negative, liquidators should only be able to seize assets held as collateral (provide liquidity), i.e. cTokens where user called enterMarkets(). However at no point is it validated that Comptroller's market[cToken].accountMembership == true. Therefore all user's assets are at risk of liquidation, and exitMarket has no effect except for reducing user's liquidity (i.e. does not make the asset safe). Impact Users may be liquidated out of assets they were not aware that are at risk. Therefore, if they have negative liquidity, assets could be taken without their permission. Risk Breakdown Difficulty to Exploit: Easy Weakness: Insufficient validation of input Recommendation Add the following check in seizeAllowed(): if (markets[cTokenCollateral].accountMembership[borrower] == false) { return uint(Error.MARKET_NOT_ENTERED); } References Compound Docs / Compound Code AAVE's implementation of setUserUseReserveAsCollateral() https://docs.aave.com/developers/v/1.0/developing-on-aave/the-protocol/lendingpool#setuserusereserveascollateral Proof of Concept User calls mint() for 2 tokens (e.g. DAI, WBTC) User calls enterMarkets() for WBTC - positive liquidity User calls borrow(max_allowed) of some token (e.g. cUNI) WBTC's value drops by 30% / cUNI's value rises by 30% - user is in negative liquidity Liquidator calls liquidateBorrow(user, repay, cDAI) Liquidator successfully seizes user's cDAI holdings. bottom of page