15,000 USDC
View results
Submission Details
Severity: high

A user can self-liquidate to get liquidation reward. Self-liquidation should not be allowed.

Summary

DSCEngine.liquidate() does not check if user is same as msg.sender.

A user can mint more stablecoin to make his position liquiditable then call liquidate() for himself.

Proof of Concept

https://github.com/Cyfrin/2023-07-foundry-defi-stablecoin/blob/main/src/DSCEngine.sol#L229-L238

function liquidate(address collateral, address user, uint256 debtToCover)
external
moreThanZero(debtToCover)
nonReentrant
{
// need to check health factor of the user
uint256 startingUserHealthFactor = _healthFactor(user);
if (startingUserHealthFactor >= MIN_HEALTH_FACTOR) {
revert DSCEngine__HealthFactorOk();
} // @audit - it does not check it's self-liquidation.

Impact

Self-liquidation will get user addition liquidation reward rather than repaying and redeeming collateral.

Tool used

Manual Review

Recommendation

DSCEngine.liquidate() should revert if msg.sender is same as user.

https://github.com/Cyfrin/2023-07-foundry-defi-stablecoin/blob/main/src/DSCEngine.sol#L229-L238

function liquidate(address collateral, address user, uint256 debtToCover)
external
moreThanZero(debtToCover)
nonReentrant
{
// need to check health factor of the user
uint256 startingUserHealthFactor = _healthFactor(user);
if (startingUserHealthFactor >= MIN_HEALTH_FACTOR) {
revert DSCEngine__HealthFactorOk();
}
+ require(msg.sender != user, DSCEngine_SelfLiquidaton);

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.