A user whose HealthFactor is gone bad can self-liquidate and recover the collateral tokens.
Imagine a user and his HealthFactor is below the threshold. As a result, Other users can now liquidate him/her and earn the 10% rewards. The workflow for the liquidation process is that the DSC tokens of the liquidator user is burnt and the collateral is given to the liquidator.
Now, In the current implementation of the code, the user can call the liqudiate
function by themselves without any restriction and recover all the collateral assets(in wETH terms) and still have some collateral left.
From the given PoC:
The values of assets the user holds before liquidation at 1 ETH = 20 $ -> 300 $
The values of assets the user holds after liquidation at 1 ETH = 18 $ -> 250 $
The values of assets the user holds once price update to 1 ETH = 20 $ -> 300 $
Proof of Concept( Run via forge test)
Command to Run - forge test --match-test testSelfLiquidation -vvv --via-ir
The bug would allow a malicious user to liquidate their own position and take additional collateral from the protocol.
Manual Analysis
Add a simple check to prevent users calling liquidate function on themselves.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.