DittoETH
Ditto
DeFiFoundryOracle
55,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Unexpected collateral loss may happen inside liquidation

nyx

Summary

Vulnerability Details

According to documentation, When CR >= minimumCR, the shorter will get back some of their collateral, with 1 CR worth of collateral being burned to cover the position's debt. When CR < minimumCR, the shorter doesn't get anything back, and the remaining collateral goes to the TAPP. If the CR < 1, then the TAPP is getting less collateral back in paying off the under-collateralized debt.

function _fullorPartialLiquidation(MTypes.MarginCallPrimary memory m) private {
uint88 decreaseCol = min88(m.totalFee + m.ethFilled, m.short.collateral);
if (m.short.ercDebt == m.ercDebtMatched) {
// Full liquidation
LibShortRecord.disburseCollateral(
m.asset,
m.shorter,
m.short.collateral,
m.short.zethYieldRate,
m.short.updatedAt
);
LibShortRecord.deleteShortRecord(m.asset, m.shorter, m.short.id);
if (!m.loseCollateral) { //@audit
m.short.collateral -= decreaseCol;
s.vaultUser[m.vault][m.shorter].ethEscrowed += m.short.collateral;
s.vaultUser[m.vault][address(this)].ethEscrowed -= m.short.collateral;
}

In the _performForcedBid() function, if the loseCollateral is true, the shorter will lose his collateral. But the problem is, according to the docs, the shorter only needs to lose his collateral when cRatio < minimunCR , the current implementation could lead to the loss of collateral even in states where it should be secure.

Impact

This might lead to unexpected loss of collateral for users who should have been within safe limits.

Tools Used

Manual Review

Recommendations

m.loseCollateral = m.cRatio < m.minimumCR;
Updates

Lead Judging Commences

0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-171

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.