Micro Neon Beaver - Migrator Fails to Migrate Borrow-Only Positions Not Used as Collateral #1467
Description
Micro Neon Beaver
Medium
Migrator Fails to Migrate Borrow-Only Positions Not Used as Collateral
Summary
Migrator skips borrow positions from markets not entered as collateral, leaving those specific debt positions unmigrated while other positions migrate successfully
Root Cause
The _collectMendiPositions function in Migrator.sol:165 uses getAssetsIn() which only returns markets the user has entered as collateral. Users who borrowed without entering the market (not using it as collateral) are excluded from migration, leaving their debt positions stranded.
Internal Pre-conditions
- User has borrowed from a Mendi market
- User has NOT entered that market (not using as collateral)
- User attempts migration
External Pre-conditions
None.
Attack Path
- User deposits WETH and enters it as collateral
- User borrows USDC but doesn't enter USDC market (valid in Compound forks)
- User calls migrate()
- WETH position migrates (in
getAssetsIn()) - USDC borrow position NOT migrated (not in
getAssetsIn()) - Result: WETH collateral on Malda, USDC debt remains on Mendi
- Split position across two protocols
Impact
Incomplete migration causing split positions across protocols. Specific borrow positions from non-entered markets remain on Mendi while other positions migrate to Malda. Users must manually manage positions on both protocols, increasing complexity and liquidation risk.
PoC
.
Mitigation
Iterate through all markets, not just entered ones:
function _collectMendiPositions(address user) private returns (Position[] memory) {
// Get ALL markets, not just entered
address[] memory allMarkets = IMendiComptroller(MENDI_COMPTROLLER).getAllMarkets();
for (uint256 i = 0; i < allMarkets.length; i++) {
uint256 borrowAmount = IMendiMarket(allMarkets[i]).borrowBalanceStored(user);
if (borrowAmount > 0) {
// Include even if not entered as collateral
}
}
}