DittoETH

Summary

Shorter can grief liquidators by transferring short record to another address right before flagShort call or before secondary liquidation call.

Vulnerability Details

In case if collateral ratio of short position has decreased under specific limit, then it becomes eligible for a liquidation.
There are 2 types of liquidation that is implemented inside MarginCallPrimaryFacet and MarginSecondaryPrimaryFacet. For MarginCallPrimaryFacet liquidation first flagShort should be called and then user has some time to recover position.
MarginSecondaryPrimaryFacet liquidation can be called without flagging in case if collateral ratio is under specific limit.

In order to do flagging or liquidation liquidator should provide specific short position of specific shorter. In case if it doesn't exist then call will fail.

Now let's look into ERC721Facet.transferFrom function, which allows shorter to transfer his position to another user. This isn't possible to do, if position is already flagged. As result previous short position will be deleted and new one will be created for receiver.

As result of this move shorter has invalidated previous short position, so someone who calls MarginCallPrimaryFacet.flagShort or MarginCallSecondaryFacet.liquidateSecondary will fail to execute action on that short.

Impact

Shorter can frontrun liquidators and grief them.

Tools Used

VsCode

Recommendations

Check collateral ratio of short record. In case if it's lower than healthy then don't allow to transfer nft.