The Standard

Summary

The runLiquidation() function of the Liquidation pool manager is the main entry point for liquidating undercollaterized vaults. The function goes through the vault manager contract and has it do the actual liquidation and then it distributes the fees for the protocol and distributes the assets to the position holders in the liquidation pool as rewards. The problem is that these liquidated assets never get transferred to the LiquidationPoolManager.

Vulnerability Details

The runLiquidation() starts off with a call to the manager.liquidateVault(_tokenId); which is the vault manager contract. The function simply runs a vaults liquidate() function and revokes it's EUROs roles. The smart vault's liquidate() function sends all of the locked collateral to the protocol address, which was addressed by the developers as a "treasury multi-sig wallet", meaning that all liquidated assets go to the treasure and none actually go to the LiquidationPoolManager. Thus meaning that the calls to distributeFees() and distributeAssets() after the successful liquidation would not distribute any value - not in fees nor in rewards for the position holders, rendering the entire liquidation process meaningless for users.
This creates a huge disincentive for users to use the LiquidationPool and to run liquidations, as it would reap them no rewards which could lead to insolvency as the only thing a user does when interacting with the contract is waste gas on opening and closing positions.

Impact

No fee earnings for users, no asset rewards for stake-holders, no incentive for using the pool contract and liquidating bad vaults.

Tools Used

Manual Review

Recommendations

Send the liquidated assets, or a percentage of them, to the LiquidationPoolManager for proper distribution among stake holders and protocol.