Summary
In LiquidationPoolManager contract, the runLiquidation(uint256 _tokenId) function might not be available to be called if there are a lot of holders in holders[] list and a lot of PendingStake in pendingStakes[] list of LiquidationPool. It means that the project cannot be funded by either builder or community owner.
It means that Smart Vault cannot be liquidated though it is undercollateralised.
Vulnerability Details
runLiquidation() used distributeAssets() function. And the loop in distributeAssets() did not have a mechanism to stop, it’s only based on the length holders.length, and may take all the gas limit.
function distributeAssets(ILiquidationPoolManager.Asset[] memory _assets, uint256 _collateralRate, uint256 _hundredPC) external payable {
consolidatePendingStakes();
(,int256 priceEurUsd,,,) = Chainlink.AggregatorV3Interface(eurUsd).latestRoundData();
uint256 stakeTotal = getStakeTotal();
uint256 burnEuros;
uint256 nativePurchased;
for (uint256 j = 0; j < holders.length; j++) {
Position memory _position = positions[holders[j]];
uint256 _positionStake = stake(_position);
if (_positionStake > 0) {
for (uint256 i = 0; i < _assets.length; i++) {
ILiquidationPoolManager.Asset memory asset = _assets[i];
if (asset.amount > 0) {
(,int256 assetPriceUsd,,,) = Chainlink.AggregatorV3Interface(asset.token.clAddr).latestRoundData();
uint256 _portion = asset.amount * _positionStake / stakeTotal;
uint256 costInEuros = _portion * 10 ** (18 - asset.token.dec) * uint256(assetPriceUsd) / uint256(priceEurUsd)
* _hundredPC / _collateralRate;
if (costInEuros > _position.EUROs) {
_portion = _portion * _position.EUROs / costInEuros;
costInEuros = _position.EUROs;
}
_position.EUROs -= costInEuros;
rewards[abi.encodePacked(_position.holder, asset.token.symbol)] += _portion;
burnEuros += costInEuros;
if (asset.token.addr == address(0)) {
nativePurchased += _portion;
} else {
IERC20(asset.token.addr).safeTransferFrom(manager, address(this), _portion);
}
}
}
}
positions[holders[j]] = _position;
}
if (burnEuros > 0) IEUROs(EUROs).burn(address(this), burnEuros);
returnUnpurchasedNative(_assets, nativePurchased);
}
}
If the gas limit is reached, this transaction will fail or revert.
The loop in consolidatePendingStakes() which is used by distributeAssets() did not have a mechanism to stop either.
function consolidatePendingStakes() private {
uint256 deadline = block.timestamp - 1 days;
for (int256 i = 0; uint256(i) < pendingStakes.length; i++) {
PendingStake memory _stake = pendingStakes[uint256(i)];
if (_stake.createdAt < deadline) {
positions[_stake.holder].holder = _stake.holder;
positions[_stake.holder].TST += _stake.TST;
positions[_stake.holder].EUROs += _stake.EUROs;
deletePendingStake(uint256(i));
i--;
}
}
}
The loop in getStakeTotal() which is used by distributeAssets() did not have a mechanism to stop either.
function getStakeTotal() private view returns (uint256 _stakes) {
for (uint256 i = 0; i < holders.length; i++) {
Position memory _position = positions[holders[i]];
_stakes += stake(_position);
}
}
If the gas limit is reached, this transaction will fail or revert.
Impact
The Smart Vault cannot be liquidated though it is undercollateralised. The holders will lose value of the EUROs.
Tools Used
Manual analysis
Recommendations
For getStakeTotal() , consider keeping value of getStakeTotal() in a storage variable and update it when a stake is added or updated accordingly.
