Bad Debt generation can be frontrun
Summary
The current liquidation mechanism spreads losses among all Shorters when one's debt exceeds the TAPP and Trader's collateral. However, savvy Shorters can frontrun these socialized losses by monitoring for bad debts and exiting their positions before they're affected.
Vulnerability Details
Losses are socialized when:
ERC20 token debt is then [distributed among all remaining Shorters based on their position size.]
(https://github.com/Cyfrin/2023-09-ditto/blob/a93b4276420a092913f43169a353a6198d3c21b9/contracts/libraries/LibShortRecord.sol#L298-L309).
An attacker can monitor the mempool, spot an incoming liquidation, and exit their short position before the losses are socialized, leaving others to cover the shortfall.
Impact
This allows informed users to escape losses, making short positions unappealing and potentially leading to more severe liquidations if only a few uninformed users are left to cover the entire debt.
Tools Used
Manual Review
Recommendations
Introduce a two-stage process for closing short positions:
-
Unbond: Shorters initiate the closure of their positions.
-
Exit Short: Shorters can officially close their positions after an unbonding period and during a claim period.
If Shorters miss the claim period, they must restart the unbonding process. All bad debt accrued during the unbonding period is added to the user’s position.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.