Foundry DeFi Stablecoin CodeHawks Audit Contest

Cyfrin

DeFiFoundry

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Partial liquidation not allowed via `liquidate()` function when `debtToCover` is a small value

t0x1c

Summary

As per design, liquidate() function allows partial liquidation of bad loans. Liquidator can specify the amount of debt to liquidate via the parameter in debtToCover inside function liquidate(address collateral, address user, uint256 debtToCover), and get a 10% liquidation bonus.

However, the function always reverts with DSCEngine__HealthFactorNotImproved if debtToCover is less than (price feed retuned by Chainlink)/1e8, robbing liquidator the opportunity to earn a bonus.

Vulnerability Details

Add the following test to DSCEngine.t.sol and run via forge test --mt testLiquidateSmallDebt -vv. The liquidator should have received 1 wei by partially liquidating 17 wETH, but is not allowed to do so.

function testLiquidateSmallDebt() public {

vm.startPrank(user);

ERC20Mock(weth).approve(address(dsce), amountCollateral);

dsce.depositCollateralAndMintDsc(weth, amountCollateral, amountToMint);

vm.stopPrank();

int256 ethUsdUpdatedPrice = 18e8; // 1 ETH = $18

MockV3Aggregator(ethUsdPriceFeed).updateAnswer(ethUsdUpdatedPrice);

ERC20Mock(weth).mint(liquidator, collateralToCover);

vm.startPrank(liquidator);

ERC20Mock(weth).approve(address(dsce), collateralToCover);

dsce.depositCollateralAndMintDsc(weth, collateralToCover, amountToMint);

dsc.approve(address(dsce), amountToMint);

// @audit-info : reverts with `DSCEngine__HealthFactorNotImproved`

dsce.liquidate(weth, user, 17); // attempt a small `debtToCover`

vm.stopPrank();

uint256 liquidatorWethBalanceAfter = ERC20Mock(weth).balanceOf(liquidator);

assertEq(liquidatorWethBalanceAfter, 1);

}

Impact

Bad loans can not be partially liquidated if debtToCover is small. Robs liquidators the chance to earn a bonus. Impacts overall liquidity of the protocol.

Tools Used

Manual review, forge test.

Recommendations

Either implement a minimum amount of debt required to be covered, so that liquidators know this upfront,
Or fix the health factor calculation.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

236

64 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.