Moonwell

Moonwell
DeFiFoundry
15,000 USDC
View results
Submission Details
Severity: medium
Invalid

Admin can liquidate user with not a bad debt

Summary

Admin can "accidentally" liquidate a "good debt"

Vulnerability Details

There is no check on whether the debt is bad or not. So, the admin may accidentally liquidate a normal position.

Admin(devs, not a timelock contract) can use two functions to call a function with or without a time lock. So if devs will use a liquidate position call through a timelock, till the moment of execution of the call after the time lock, the "bad" debt" may become "good" debt.
So a good debt will be liquidated, because of missing the final debt status check before the liquidation.

Impact

The user will lose part of his/her funds

Tools Used

Help from God)

Recommendations

Add a check that the debt is "bad" in the fixUser function.

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.