15,000 USDC
View results
Submission Details
Severity: medium

Self-liquidation is possible

Summary

Self-liquidation is possible

Vulnerability Details

A user whose health factor is below the minimum health factor can self-liquidate. Let's imagine that Alice has 140$ worth of wETH deposited into the DSCEngine contract and has minted 100$ worth of DSC. Clearly, Alice is below the minimum health factor defined in the DSCEngine contract, so Alice should be liquidated.

Alice calls the function liquidate. Let's imagine Alice wants to cover 70$ of the debt.
This means totalCollateralToRedeem will be equal to 77$ (after the 10% bonus is added).
The function _redeemCollateral is called and 77$ of Alice's collateral will be sent to
Alice's address. The function _burnDsc is called and 70$ worth of DSC are transferred
from Alice's address to DSCEngine contract's address and are burnt. Alice now has
30$ worth of DSC, 63$ worth of wETH still deposited into the contract and 77$ worth of wETH
transferred to Alice's address. Alice managed to make her position healthy again without losing
any money using the liquidate function.

Impact

The fact that the function liquidate allows for self-liquidation is yet another
reason why the "real" liquidators will not be incentivised to prticipate in the protocol.
liquidate allowing for self-liquidation has the same functionality as the function redeemCollateralForDsc leaving the contract without a properly implemented liquidation functionality.

Tools Used

Manual review

Recommendations

Add a modifier that checks that the liquidator's address is different from the address of the user that should be liquidated.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.