User position in LiquidationPool could not be used during liquidations
Summary
If a user removes all non-pending positions, the pending ones will not be used in liquidations.
Vulnerability Details
Scenario:
User calls
LiquidationPool.increasePosition(0, 100 * 10**18).1 hour passes.
User calls
LiquidationPool.increasePosition(0, 10000 * 10**18).23 hours pass.
User calls
LiquidationPool.decreasePosition(0, 100 * 10**18)- removal of non-pending positions.The holder is removed from the array of holders (
decreasePosition->deletePosition->deleteHolder).
10000 EUROs could be removed from the pool, but they are not used during liquidations.
The user doesn't receive funds from liquidations.
These funds don't take part in liquidations, which could be critical when the liquidation pool's EUROs amount is less than the liquidated position.
Impact
Users may believe they will receive funds from liquidations, but they won't.
The protocol has fewer funds for liquidations, potentially leading to bad debt.
Tools Used
Manual review
Recommended Mitigation
Add holder in LiquidationPool::consolidatePendingStakes if it does not exist.
Lead Judging Commences
deletePosition-issye
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.