Lines of code
Vulnerability details
Impact
The function liquidate() is a public function that handles the repayment of debt and provides a reward for
users who call this function. Any user can be liquidated if they have debt outstanding. A user incurs debt if
they borrow from the market, based on a minimum collateral value that must be held in their escrow.
If a user borrows the maximum amount available based on their collateral value, they receive some DOLA value in return
the idea is that they would then repay this DOLA value in order to redeem their collateral. However, if a liquidator
decides to resolve their debts, the user will be unable to redeem their DOLA value for collateral without investing more collateral
into their escrow.
Proof of Concept
Preconditions:
- There is some way to obtain DOLA, outside of the immediate market (ie more DOLA supply than collateral)
- CollateralBPS is set such that users can borrow against their full collateral value.
Attack
- User claims DOLA through borrowing from the market, they borrow the maximimum amount of DOLA available based on their collateral balance.
- Liquidator resolves their entire debt balance which effectively makes their escrow.balance()==0
- The user must then either find another user to liquidate, or invest more funds into their escrow. Ultimately leading to a pyramid where
at least one user will not be able to redeem their DOLA for collateral.
Tools Used
Manual Review
Recommended Mitigation Steps
- Prevent unpermissioned liquidations from occurring, or ensure that there is some timeout period that allows the user to settle the liquidation ahead of a liquidator.
The text was updated successfully, but these errors were encountered:
All reactions