Instead of Earning 10% bonus Liquidator will lose 90% of his collateral
Summary
In the current liquidation process, a liquidator needs to mint the required amount of DSC to burn on behalf of a user. However, to do this, the liquidator must deposit double the value of DSC they intend to mint as collateral. After liquidation, the liquidator receives a 10% bonus on top of the value of DSC burned, but there is an issue with the rest of the collateral. The liquidator transferred double the amount required, so they should be able to redeem the excess collateral (total collateral - value burned in DSC). However, attempting to redeem this collateral would break the liquidator's health factor.
Vulnerability Details
Consider the scenario where User A's health factor is broken, and their total debt is 10 DSC. User B decides to liquidate User A and deposits 20 USD worth of collateral (since the protocol requires 200% collateralization) and mints 10 DSC. The process unfolds as follows:
B liquidates A.
After liquidation A's debt is cleared and his DSC balance at protocol is 0 but he still has those 10 DSC in his wallet.
A can redeem his rest of the collateral as he has no remaining DSC left at protocol.
B receives 11 USD worth of collateral (10 DSC worth of collateral + 10% bonus) back in their wallet and is left with 0 DSC in their wallet.
B still has 20 USD worth of collateral and 10 DSC at protocol.
B can not redeem his remaining 10 USD worth of collateral because if he tries to his health factor will break as the protocol is 200% collateralized, so after spending 20 USD he is left with 11 USD.
Consequently, instead of earning a 10% bonus, the liquidator loses 90% of their collateral.
Impact
This vulnerability could have significant implications for the protocol:
Liquidators may avoid liquidating users with broken health factors, jeopardizing the integrity of the protocol, which relies on the assumption that users will be liquidated when their health factor breaks.
Users might be reluctant to use the protocol if they believe that no one would be willing to liquidate them in the event of broken health factor.
Tools Used
Manual analysis and then confirmed by unit testing.
Recommendations
To address this issue, the protocol should consider implementing a feature that allows users who have been liquidated to sell their DSC (which they have in their wallet) to liquidators. By doing so, liquidators can use the purchased DSC to burn and unlock their collateral. This approach would prevent liquidators from suffering significant losses and maintain the overall stability of the protocol.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.