Delays of positions in liquidation pool prevent utilisation of all funds during liquidation
Summary
Positions added to the liquidation pool have a delay of 1 day. This prevents the use of delayed funds (as well as flashloaned) in liquidations, which could lead to bad debt appearance.
Vulnerability Details
Bad debt note
The main invariant of collateralised stablecoins: Issued stable coin value <= collateral value * collateral factor (or euro value < collateral value / collateralRate in terms of The Standard protocol), where 0 <= collateral factor <= 1. This invariant should be valid both for each position and for the whole protocol.
There are two cases of invariant break for a position:
collateral value * collateral factor < Issued stable coin value <= collateral value- in such cases, the position is liquidated, collateral is sold, and its value is enough to repay (burn) all issued stablecoins.Issued stable coin value > collateral value- in such cases, the position is also liquidated, collateral is sold, but its value is not enough to repay (burn) all issued stablecoins:X - issued stablecoins, Y - repaid and burnt during liquidation stablecoins where Y < X. X-Y is the protocol's bad debt. It means if all users close their positions, X-Y stablecoins are still issued. But this amount is backed by nothing.
When the protocol has bad debt, the fair price of a stablecoin = (Issued stablecoins - Bad debt) / Issued stablecoins and it is < 1. It means that the stablecoin tends to be unpegged.
To return the peg, the protocol must buy stablecoins from the market and burn them. It means that Bad debt is the direct protocol loss.
The protocol is interested in the fastest liquidation of undercollateralised vaults, especially in a continuously falling market, to prevent the appearance of bad debt.
Positions added to the liquidation pool have a delay of 1 day. This prevents the use of delayed funds in liquidations, which could lead to bad debt appearance.
Example:
User1 minted 1_000_000 EUROs.
Liquidation pool's positions are 500_000 EUROs.
Falling market, User1's vault is close to liquidation.
User2 decides to add 500_000 EUROs to the liquidation pool to help liquidate User1's vault.
1h later, User1's vault becomes undercollateralised, liquidation is triggered.
(very simple) 500_000 EUROs out of 1_000_000 are burnt (pool position without delay), half of collaterals goes to
LiquidationPoolManager.protocol.From the explanation in Discord channel,
LiquidationPoolManager.protocolis EOA/multisig of the team.
It will take time for The Protocol team members to sell received collateral, buy and burn EURO to avoid bad debt.
It could be critical on the falling market since the bought EUROs amount could be < 500_000.
It wouldn't happen if User2's funds took part in the liquidations.
Flashloans also should be allowed. Yes, it breaks the collateral distribution scheme to holders, but the protocol's first priority must be the avoidance of bad debts and not distributions of collaterals among holders.
Impact
Bad debt could appear.
Tools Used
Manual review
Recommended Mitigation
Get rid of delays for increasing position, at least when positions without delay are not enough to liquidate an undercollateralised vault.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.