The Standard

Summary

Flow complexity for liquidating loan is very inefficient and expensive, and even can lead to OOG reverts

Vulnerability Details

• Whoever runs the liquidation would have to pay for X * Y (where X is all holders and Y are all tokens to be distributed) transfer transactions only to distribute the rewards to all stakers.

• Multiple iterations over acceptedTokens

• At least 2 iterations over holders , which is huge

• • One inside getStakeTotal

• • One during the distribution: distributeAssets

• At least 2 iterations over pendingStakes , which could go large if user spam it

• • One inside consolidatePendingStakes

• • One inside getStakeTotal

Impact

• Very big cost can result in noone calling liquidation function, because users don't have direct benefit from doing so. This is because whoever call the liquidation distribute rewards to other stakers too.

• Impact could be big if the collateral amount price is decreasing fast and everybody is waiting for someone else to call runLiquidation, until there is no benefit of doing so.

• Generating bad debt

Tools Used

Manual Review

Recommendations

• Optimize gas costs.

• You can introduce storage variables for when liquidation is being called and the amount for stakes for this given time

• Refactor asset distribution, so users are motivated to watch for liquidations and distribute tokens to themselfs.
  (new logic about handling withdraws according to handling liquidation rewards based on timestamp)