Self-liquidation is possible
Summary
Self-liquidation is possible
Vulnerability Details
A user whose health factor is below the minimum health factor can self-liquidate. Let's imagine that Alice has 140$ worth of wETH deposited into the DSCEngine contract and has minted 100$ worth of DSC. Clearly, Alice is below the minimum health factor defined in the DSCEngine contract, so Alice should be liquidated.
Alice calls the function liquidate. Let's imagine Alice wants to cover 70$ of the debt.
This means totalCollateralToRedeem will be equal to 77$ (after the 10% bonus is added).
The function _redeemCollateral is called and 77$ of Alice's collateral will be sent to
Alice's address. The function _burnDsc is called and 70$ worth of DSC are transferred
from Alice's address to DSCEngine contract's address and are burnt. Alice now has
30$ worth of DSC, 63$ worth of wETH still deposited into the contract and 77$ worth of wETH
transferred to Alice's address. Alice managed to make her position healthy again without losing
any money using the liquidate function.
Impact
The fact that the function liquidate allows for self-liquidation is yet another
reason why the "real" liquidators will not be incentivised to prticipate in the protocol.
liquidate allowing for self-liquidation has the same functionality as the function redeemCollateralForDsc leaving the contract without a properly implemented liquidation functionality.
Tools Used
Manual review
Recommendations
Add a modifier that checks that the liquidator's address is different from the address of the user that should be liquidated.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.