Summary

Users with bad debt already repaid might get liquidated.

Vulnerability Details

All the users are liquidated using fixUser() function of MErc20DelegateFixer.sol. The fixUser() funciton takes user and liqiudator as parameter. Here, the user is liquidated during migration from mip-m17.sol contract.

Basically liquidation happens for mFRAXDebtors and mxcDOTDebtors. And these debtors/users addresses are stored in .json files and they are liquidated by iterating over them one by one.

Let's assume that in the duration between the contracts being frozen after the hack and upgrading the contract, some users in that mFRAX.json and mxcDOT.json files have already repaid their bad debt.

Now, those users might have a healthy borrow position against their collateral after paying off their bad debt. But, the json files have already been generated and liquidation for those users with no bad debt will take place no matter what.

Also, those users might have open new borrowing positions which are healthy, but they will still be liquidated.

Impact

Users without bad debt might also get liquidated which may cause users to lose some funds.

Tools Used

Manual Analysis

Recommendations

Generate latest json files for both mFRAX.json and mxcDOT.json with the list of updated user addresses with bad debt or introduce a mechanism to check bad debt before liquidating users.