Strategist can utilize lending protocol liquidations to take value from BoringVaults #15
Description
Issue
Currently there are no Health Factor checks when strategists borrow from Aave V3, or Morpho Blue. This can be abused in the following scenario.
- Malicious strategist sees a Chainlink DataFeed update TX in the mem pool, that will lower the price a lending pools collateral.
- Strategist builds a rebalance TX such that they leverage into that specific collateral, to lower the BoringVaults health factor to just above 1.
- Strategist builds a liquidation TX to liquidate the BoringVault
- Strategist submits the following bundle to a block builder.
- Rebalance TX
- Chainlink DataFeed update TX
- Liquidation TX
The result is the strategist is able to liquidate the BoringVaults position. It is important to note that such an attack is not entirely risk free, as the block builder could choose to submit their own liquidation TX.
Fix
Create a micro manager that runs a health factor check after making a manageVaultWithMerkleVerification call. This micro manager root should contain the target lending protocols deposit, borrow, repay, and withdraw functions, and additionally flash loan capabilities. The strategist's root would not contain any of the lending protocols functions described above.