in a healthy state, cumulativeEarmarked should equal the sum of allaccount.earmarked balances. but in the forceRepay function, while the account.earmarked is deducted by earmarkToRemove it is not the case for global cumulativeEarmarked . a frequent liquidation where forceRepay would actually inflates this state, leading to incorrect global state used by the protocol.
on the snippet above, the _forceRepay is deducting from account.earmarked. the amount is based on how much the account can repay their debt where it would prioritize the earmarked amount first.
this is intended but there are oversight on how it should also reduce the global state of cumulativeEarmarked but it is not. this issue would make the whole protocol use wrong global state.
Impact Details
given how cumulativeEarmarked is now inflated, various issue would arise. example:
in redeem function, the amount is capped by cumulativeEarmarked that can be inflated, resulting in more amount than intended can be redeemed unfairly.
_earmark and _calculateUnrealizedDebt relies on liveUnearmarked = totalDebt - cumulativeEarmarked that now would be understated resulting in inaccuracy for the rest of the function
function testForceRepayDoesNotUpdateCumulativeEarmark() external {
vm.startPrank(someWhale);
IMockYieldToken(mockStrategyYieldToken).mint(whaleSupply, someWhale);
vm.stopPrank();
// just ensureing global alchemist collateralization stays above the minimum required for regular liquidations
// no need to mint anything
vm.startPrank(yetAnotherExternalUser);
SafeERC20.safeApprove(address(vault), address(alchemist), depositAmount * 2);
uint256 sharesBalance = IERC20(address(vault)).balanceOf(address(yetAnotherExternalUser));
alchemist.deposit(depositAmount, yetAnotherExternalUser, 0);
vm.stopPrank();
vm.startPrank(address(0xbeef));
SafeERC20.safeApprove(address(vault), address(alchemist), depositAmount + 100e18);
alchemist.deposit(depositAmount, address(0xbeef), 0);
// a single position nft would have been minted to 0xbeef
uint256 tokenIdFor0xBeef = AlchemistNFTHelper.getFirstTokenId(address(0xbeef), address(alchemistNFT));
uint256 mintAmount = alchemist.totalValue(tokenIdFor0xBeef) * FIXED_POINT_SCALAR / minimumCollateralization;
alchemist.mint(tokenIdFor0xBeef, mintAmount, address(0xbeef));
// create redemption and go half maturation
SafeERC20.safeApprove(address(alToken), address(transmuterLogic), mintAmount);
transmuterLogic.createRedemption(mintAmount);
vm.roll(block.number + 5_256_000 / 2);
vm.stopPrank();
// interact first so cumulativeEarmarked would be populated here
// can be anything that trigger _earmark()
alchemist.poke(tokenIdFor0xBeef);
// modify yield token price via modifying underlying token supply
(uint256 prevCollateral, uint256 prevDebt,) = alchemist.getCDP(tokenIdFor0xBeef);
uint256 initialVaultSupply = IERC20(address(mockStrategyYieldToken)).totalSupply();
IMockYieldToken(mockStrategyYieldToken).updateMockTokenSupply(initialVaultSupply);
// increasing yeild token suppy by 59 bps or 5.9% while keeping the unederlying supply unchanged
uint256 modifiedVaultSupply = (initialVaultSupply * 590 / 10_000) + initialVaultSupply;
IMockYieldToken(mockStrategyYieldToken).updateMockTokenSupply(modifiedVaultSupply);
// let another user liquidate the previous user position
vm.startPrank(externalUser);
uint256 earmarkBeforeForceRepay = alchemist.cumulativeEarmarked();
alchemist.liquidate(tokenIdFor0xBeef);
uint256 earmarkAfterForceRepay = alchemist.cumulativeEarmarked();
vm.stopPrank();
// assert the cumualtive earmarked before and after force repay happen
console.log("earmark before force repay: ", earmarkBeforeForceRepay);
console.log("earmark after force repay: ", earmarkAfterForceRepay);
assertEq(earmarkBeforeForceRepay, earmarkAfterForceRepay);
}
