DittoETH

Summary

flagShort can be bypassed by unhealthy shorter via front running or calling it first to delay their liquidation
The check that caller is not the shorter can be easily by-passed.

Vulnerability Details

MarginCallPrimaryFacet.sol ... function flagShort(...)

The above check prevents shorter from flagging themselves. However the above is not sufficient as it can be easily bypassed by shorter calling the function with another account != shorter or address they control e.g

• when shorter see their account is moving towards unhealthy as soon as passes threshold they become first to call the function with another account so that they have the first right to liquidation delaying any other serious liquidator

• shorter can observe memepool for flagShort() calls to their accounts, they front run the transaction offering higher gas calling using a different account. This gives them first right to liquidate pushing out the serious liquidators.

See LitePaper Details on flaggging

Impact

The ability of shorter to bypass flagShort implies they can delay their liquidations by continually or rolling up calling flagShort as another account or address that is not the one related to their shorts. This forms a sort of DOS on liquidations for serious liquidators and delays liquidations of shorter unhealthy accounts. Other users do not expect that account that flagged for liquidation will not liquidate, so most likely are interested in flagging then liquidate so may miss the small window period where flagger does not liquidate.

Tools Used

Manual Analysis

Recommendations

This is a very big risk that can be manipulated by shorters and is damaging to the protocol but is not an easy fix. The protocol may need to rethink flagging to optimize this to avoid such abuses. Maybe reduce the long hours 10 hours etc to lower hours etc. There is no easy fix but combinations of fixes that may help optimize to balance incentives and help protocol work as expected.