Summary

User can create small position after exit with bid, because there is no validation after matching.

Vulnerability Details

Shorter can partially exit from position using ExitShortFacet.exitShort function. This function acccepts buyBackAmount param which is debt amount that user wants to repay.
In order to cover debt, function will create force bid on behalf of user with buyBackAmount as needed asset.

In the beginning function checks that position will not be too small after this action. In case if buyBackAmount == e.ercDebt then this check is skipped. This is needed in order to not allow small positions as it creates risks for the system.

The problem is that such check is not enough and it should be actually done after the bid matching, when you know how many assets were purchased. This is because, matching doesn't guarantee, that there is enough amount that can be sold. As result, not whole buyBackAmount can be acquired.
So in case if user provides buyBackAmount == e.ercDebt then check is skipped and it's possible that e.ercAmountLeft will be smaller than needed min position.

While this can happen accidentally, also attacker can control this behavour, as he can also provide the price of bid. So he can have a bot that will check ask/short lists and provide such bid, that will fill almost, but not whole buyBackAmount. This creates ability to have small positions, which liquidators may not be interested to liquidate, which can create bad debt.

Impact

Small positions can be created.

Tools Used

VsCode

Recommendations

I think that you need to check position size after bid matching, when you know exactly what have left.