Malicious code in dolomite-liquidator-subgraph (npm)

The package dolomite-liquidator-subgraph was found to contain malicious code...

MAL-2025-18603 Malicious code in dolomite-liquidator-subgraph (npm)

The package dolomite-liquidator-subgraph was found to contain malicious code...

A Theory of Lending Protocols in DeFi

Lending protocols are one of the main applications of Decentralized Finance DeFi, enabling crypto-assets loan markets with a total value estimated in the tens of billions of dollars. Unlike traditional lending systems, these protocols operate without relying on trusted authorities or off-chain...

Liquidator has no incentives to execute a favorable trade to the borrower

Lines of code Vulnerability details Summary Swaps involved in liquidations may negatively impact the owner of the lien, since there is no incentive to execute a favorable trade as long as the received amount is enough to recover the liquidity. Impact When an existing position is closed, the...

liquidator will always take what is left of borrowers premium

Lines of code Vulnerability details Impact A liquidator can manipulate the pool they are swapping in to take any potential left over premium from the borrower. Proof of Concept When liquidating a position the liquidator essentially closes the position on behalf of the borrower for a liquidation...

Upgraded Q -> 2 from #19 [1700023001465]

Judge has assessed an item in Issue 19 as 2 risk. The relevant finding follows: Borrower can abuse enterMarkets to force liquidator can pay more fund --- The text was updated successfully, but these errors were encountered: All reactions...

Liquidator can seize more tokens than the borrower has as collateral, leading to an arithmetic underflow and locking collateral.

Lines of code Vulnerability details Impact Lack of validation on seizeTokens could allow collateral locking by underflow. Proof of Concept The liquidateBorrowFresh function does not explicitly validate that seizeTokens is less than or equal to accountTokensborrower before transferring tokens from...

Upgraded Q -> 2 from #392 [1689707598962]

Judge has assessed an item in Issue 392 as 2 risk. The relevant finding follows: 4 - The liquidator can be frontrunned while is depositing prizeTokens to the prizePool The liquidator should introduce prizeTokens to the prizePool before he calls the Vault.liquidate function. The problem is that a...

LienToken: Lender and liquidator can collude to block auction and seize collateral

Lines of code Vulnerability details If a lender offers a loan denominated in an ERC20 token that blocks transfers to certain addresses for example, the USDT and USDC blocklist, they may collude with a liquidator or act as the liquidator themselves to prevent loan payments, block all bids in the...

WPunk will become locked if liquidator ops to receive the underlying token instead of nToken

Lines of code Vulnerability details Impact WPunks received directly as the result of liquidation will be unable to be withdrawn Proof of Concept function withdrawPunkuint256 calldata punkIndexes, address to external nonReentrant INToken nWPunk = INToken Pool.getReserveDataaddressWPunk.xTokenAddre...

Arbitrary user can prevent withdrawals on any users through liquidation

Lines of code Vulnerability details Impact The function liquidate is a public function that handles the repayment of debt and provides a reward for users who call this function. Any user can be liquidated if they have debt outstanding. A user incurs debt if they borrow from the market, based on a...

Liquidator is paid too much

Lines of code Vulnerability details Impact Liquidator is paid 1 + liquidationIncentive repaidDebt, instead of liquidationIncentive repaidDebt. Proof of Concept liquidatorReward is currently calculated in Market.liquidate as follows: uint liquidatorReward = repaidDebt 1 ether / price;...

Incorrect validation check results with always initial proportion to the liquidator.

Lines of code Vulnerability details Impact The liquidator will get the initial proportion of value irrespective how long the time passed. Proof of Concept if duration == typeuint32.max in above condition check need to be checked with "elapsed" not with "duration" . Since it was mentioned that...

A malicious user can potentially escape liquidation by creating a dust amount position and trigger the liquidation by themself

Handle WatchPug Vulnerability details In the current implementation, a liquidated position can be used for depositing and borrowing again. However, if there is a liquidation auction ongoing, even if the position is now liquidatable, the call of triggerLiquidation will still fail. The liquidator...

Incorrect TCR calculation in batchLiquidateTroves() during Recovery Mode

TCR is temporarily miscalculated in the batchLiquidateTroves function during Recovery Mode. The bug lies in batchLiquidateTroves of TroveManager. When calculating system's entire collateral, we should also exclude the liquidated trove's surplus collateral, since liquidation closes the trove and...

LendingPair.liquidateAccount fails if tokens are lent out

Handle cmichel Vulnerability details The LendingPair.liquidateAccount function tries to pay out underlying supply tokens to the liquidator using safeTransferIERC20supplyToken, msg.sender, supplyOutput but there's no reason why there should be enough supplyOutput amount in the contract, the contra...