Submission Details
Severity:
`flagShort()` does not check if `flaggerHint == 0`
Summary
flagShort() does not check if flaggerHint == 0, it may cause the malicious user call the flagShort() repeatly to prevent liquidation
Vulnerability Details
As we can see, flagShort() does not check if flaggerHint == 0, and then it will call the short.setFlagger(cusd, flaggerHint); to set the short.flaggerId is 0. So the flagShort() can be call repeatly to prevent liquidation
function flagShort(address asset, address shorter, uint8 id, uint16 flaggerHint)
external
isNotFrozen(asset)
nonReentrant
onlyValidShortRecord(asset, shorter, id)
{
if (msg.sender == shorter) revert Errors.CannotFlagSelf();
STypes.ShortRecord storage short = s.shortRecords[asset][shorter][id];
short.updateErcDebt(asset);
if (
short.getCollateralRatioSpotPrice(LibOracle.getSavedOrSpotOraclePrice(asset))
>= LibAsset.primaryLiquidationCR(asset)
) {
revert Errors.SufficientCollateral();
}
uint256 adjustedTimestamp = LibOrders.getOffsetTimeHours();
// check if already flagged
if (short.flaggerId != 0) {
uint256 timeDiff = adjustedTimestamp - short.updatedAt;
uint256 resetLiquidationTime = LibAsset.resetLiquidationTime(asset);
if (timeDiff <= resetLiquidationTime) {
revert Errors.MarginCallAlreadyFlagged();
}
}
short.setFlagger(cusd, flaggerHint);
emit Events.FlagShort(asset, shorter, id, msg.sender, adjustedTimestamp);
}
Impact
the malicious user call the flagShort() repeatly to prevent liquidation
Tools Used
manual
Recommendations
check if flaggerHint == 0
Prize pool breakdown
Total prize
55,000 USDC
nSLOC
3,36516 USDC / LOC
50,000 USDC
5,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.