distributeAssets will not fit in a block after the protocol reaches a relatively small number of stakers
Summary
Due to the current push-based asset distribution, whose gas consumption linearly increases with the number of stakers, the protocol will eventually be unable to distribute liquidated collateral.
Vulnerability Details
Once the LiquidationPool reaches ~835 stakers, a liquidation of an undercollateralized vault (with 1 collateral token) will cost more than 30 million gas, which is more that Ethereum and Optimism block gas limit, so the liquidation will always fail.
Similarly, if the liquidated vault has 2 collateral tokens, as little as ~440 stakers will make the liquidation cost >30 million gas. The more different collateral tokens is liquidated, the smaller the number of stakers to reach the state, so if the vault used all collateral tokens, ~200 stakers will be enough for users to create unliquidatable vaults.
Impact
Undercollateralized loans are not liquidated.
LiquidationPool stakers do not receive the liquidated collateral that they should.
Users can create unliquidatable vaults.
Recommendations
The contract needs complete refactoring, in particular:
Implement shares-based accounting, where users whose EUROs were exchanged for the liquidated collateral (what distributeAssets does right now), will need to manually withdraw the proper amount of that collateral.
Lead Judging Commences
informational/invalid
informational/invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.