Moonwell

Summary

The existence of user bad debt should be in some form verified on-chain before the execution of the proposal.

Vulnerability Details

Nowhere in the process of liquidating users with bad debt is it confirmed on-chain using state variables that they actually have bad debt.
For the sake of full safety of this process and trust minimization - it should be confirmed at least that the user has more borrowed amounts than he should have.

Impact

Some issues that arrive from this approach of simply using a .json file and then confirming that the user has some borrowed amount from the protocol:

• User can repay his debt (he no longer has bad debt) before the time of the execution of the proposal and he will still get liquidated

• Users without bad debt can still be liquidated (lets say due to a mistake in the .json files)

• Centralization risks: Admin (unlikely, the DAO) can liquidate whatever user he wants and thus manipulate contract state

Tools Used

Manual review

Recommendations

Add some check to confirm the existence of bad debt on-chain.
It could be comparing that the value of the collateral and the value of borrowed amount exceeds a certain threshold.