Frontrunning `LiquidationPoolManager::runLiquidation()` protects a user from liquidation
Summary
If the user's vault becomes undercollateralized and they manage to frontrun LiquidationPoolManager::runLiquidation() function with transfer of more collateral OR the assets prices go back up, liquidation fails and the user has access to full functionality of their vaults.
Vulnerability Details
The liquidated boolean in SmartVaultV3 contract is updated ONLY inside of liquidate function. This makes the vault to be in liquidated state after liquidation is performed.
Impact
This vulnerability incentives the user to track potential undercollateralization to transfer just enough collateral just before loosing the assets during liquidation. This allows for not only much riskier collateral management but also makes staking of TST and EUROs non-rewarding - leaving only minting, burning and swapping fees as a reward for the stakers.
Likelihood of such behaviour is very high as it might not even require large amounts of capital to perform. However, the impact is rather medium as this does not cause direct loss of funds.
PoC is not provided for this finding as it would need to imitate frontrunning one function call and this attack vector is very straight forward without any additional setup required.
Tools Used
Manual review
Recommendations
To mitigate this issue liquidated bool might be updated in the receive() function in case undercollateralised() returns true.
Note that this modification would require deciding if the liquidation should still be performed in case the collateral value goes back up before runLiquidation() call is completed. If not, liquidate = false should be added in
Lead Judging Commences
informational/invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.