Wrong Implementation of `LiquidationPool::empty` excludes holder with pending stakes when decreasing a position, resulting in exclusion from asset distribution
Description
If a holder has withdrawn from a previous consolidated position but still has pending stakes eligible for consolidation, they will not be included in the asset distribution. This is due to their prior exclusion from the LiquidationPool.holder array through LiquidationPool::deletePosition, given that the position will be considered as empty when position.TST == 0 && position.EUROs == 0.
Impact
Pending stakes that are consolidated during asset distribution will be excluded from rewards if there is no previous consolidated position due to a prior complete withdrawal, leading to wrong asset distribution when a liquidation occurs
POC
Bob has a position of (TST = 100, EUROS = 100).
Alice has a position of (TST = 100, EUROS = 100).
Alice increases her position by (TST = 100, EUROS = 100). Consequently, a pending stake in her favor is added to the
LiquidationPool.pendingStakearray.Immediately after step 3, Alice does a complete withdrawal of her consolidated position. Given that 24 hours have not passed since step 3, the pending stake created during the previous step is not consolidated. Her current position is considered empty; therefore, she is excluded from holders.
After 24 hours, a vault is liquidated. Now, Alice's pending stake is consolidated, but since she is not included in holders, she is not considered for asset distribution. All assets go to Bob.
Severity justification
Lost of unclaimed yield
Recommended mitigation
When decreasing a position, verify if there is a pending stake from the same holder. If there is, do not exclude the holder from holders array. This means:
Lead Judging Commences
deletePosition-issye
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.