The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

No incentive for holders to start liquidation a vault, especially vault with small token left

greatlake

Summary

There is no incentive to liquidate low value accounts accounts because of gas cost and reward split

Vulnerability Details

To start liquidation, function runLiquidation() need to be called:

function runLiquidation(uint256 _tokenId) external {//@audit no incentive
    ISmartVaultManager manager = ISmartVaultManager(smartVaultManager);
    manager.liquidateVault(_tokenId);
    distributeFees();
    ITokenManager.Token[] memory tokens = ITokenManager(manager.tokenManager()).getAcceptedTokens();
    //@note chỉ có token được accept mới có thể claim reward với bị liquidation
    ILiquidationPoolManager.Asset[] memory assets = new ILiquidationPoolManager.Asset[](tokens.length);
    uint256 ethBalance;
    for (uint256 i = 0; i < tokens.length; i++) {
        ITokenManager.Token memory token = tokens[i];
        if (token.addr == address(0)) {
            ethBalance = address(this).balance;
            if (ethBalance > 0) assets[i] = ILiquidationPoolManager.Asset(token, ethBalance);
        } else {
            IERC20 ierc20 = IERC20(token.addr);
            uint256 erc20balance = ierc20.balanceOf(address(this));
            if (erc20balance > 0) {
                assets[i] = ILiquidationPoolManager.Asset(token, erc20balance);
                ierc20.approve(pool, erc20balance);
            }
        }
    }
    LiquidationPool(pool).distributeAssets{value: ethBalance}(assets, manager.collateralRate(), manager.HUNDRED_PC());//@audit
    forwardRemainingRewards(tokens);
}

Reward holders will receive will be based on total collateral left in the vault and total token staked. If there is no profit to be made than there will be no one to call the liquidate function. When the value of the vault is low, after gas costs, caller will not make a profit by liquidating the vault, leaving the protocol with bad debt. Even when there is a profit, there might be no incentive to call because the reward they could receive is not different than when other holders call.

Impact

The protocol can be potentially undercollateralized

Tools Used

Manual review.

Recommendations

Although protocol owner can tracking vaults and call this function, but the best solution is reward caller part of the token in the vault to incentive everyone liquidating the vault when the vault underwater.

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

underwater

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.