DittoETH

Summary

The liquidation process, which checks for a 'new' price after 15 minutes via updateOracleAndStartingShortViaTimeBidOnly, may result in outdated information, allowing traders to potentially exploit the oracle's delay in price updates and make strategic moves before the update occurs.

Vulnerability Details

Liquidation which only check 'new' price if >= 15 minutes is a definitely a lagging situation.

If there's a sudden, significant change in the asset's market price within a short period (less than 15 minutes), the oracle's reported price may not accurately reflect the current market conditions.

Traders who have access to more up-to-date pricing information can potentially exploit the delay in the oracle's updates. They can take action such as exit position before the oracle's price update occurs.

The liquidation function may execute based on stale data, potentially leading to unnecessary liquidations or failing to liquidate when it should.

the marginCall requires more up-to-date oraclePrice (15 min vs createLimitBid's 1 hour) is not enough

Case scenario:

1. User A, which have a short position for an asset X in DittoETH is in 'healthy' status

2. In real time, the asset price of asset X is plummet

3. Someone is trying to prepare to liquidate this User A position knowing the asset X is plummeted

4. But liquidation can happen in next 15 minutes, because of stale price of asset X

5. Before the 15 minutes passed, User A exit the short position, escaping the liquidation

Impact

User can escape their potential liquidation within the 15 minutes time window when their short position is going to be liquidated on next oracle update.

Tools Used

Manual analysis

Recommendations

When liquidating, consider to use up to date oracle price rather than stale (15 minutes) price.