SIP-0087: Strengthening Lending Pools Security Against Liquidation Circumvention via Refund Reverts
Summary
A vulnerability was discovered in the Sovryn lending pool smart contracts, allowing malicious actors to prevent liquidation or rollover of unhealthy loans by providing a borrower address that reverts upon receiving a refund. This could result in unliquidatable debt until detected and the lending pools smart contracts are upgraded. SIP-0087 proposes a fix to ensure the protocol remains secure and robust.
Background
Recently, a researcher participating in the Sovryn bug bounty program on Immunefi reported a vulnerability affecting the lending pools smart contracts. When a loan is closed — either through liquidation or rollover — a refund of fees may be sent to the borrower. If the fee is collected in RBTC (affecting only the WRBTC lending pool), it is unwrapped and sent directly to the borrower’s address.
Additionally, our development team identified another potential point of failure while reviewing the report and codebase in depth. When the rollover function closes loans due to insufficient collateral, returning small amounts to the borrower, it uses the same refund logic, impacting all other pools where RBTC is used as collateral.
The vulnerability arises when an attacker creates a loan or margin position with a borrower address set to a smart contract that reverts upon receiving the refund. If the loan becomes unhealthy and needs to be liquidated or rolled over, the refund transfer fails, causing the entire transaction to revert. This makes the unhealthy loan unliquidatable, potentially harming the protocol and its users.
The Fix
SIP-0087 proposes the following changes:
-
Safe Refund Mechanism:
The Loans contract will be updated to use a non-reverting refund pattern. If a refund transfer fails (for example, due to a revert in the recipient contract), the protocol will not revert the entire transaction. -
Redirecting Failed Refunds:
Instead of being lost or stuck, any failed refund will be sent to the FeeSharingCollector contract. This ensures the amount is distributed to Sovryn voluntary stakers, keeping value within the community. -
Transparency:
An event will be emitted to log failed refunds and their redirection, providing transparency for all protocol users.
Impact
With this fix, unhealthy loans can always be liquidated or rolled over, regardless of the borrower’s address behavior. This strengthens the protocol’s resilience and ensures that malicious actors cannot exploit this vector to create unliquidatable debt.
For more details, please see the SIP-0087 Draft.
Comments on PR#87 are welcome.
Stage
The fix implementation is complete and is currently undergoing review and QA testing to ensure its consistency and security.
The SIP creation is planned for monday, September 29th.