Summary

Due to gas costs, there is no incentive to liquidate low value accounts, such as 1, 5, 10$ value accounts, accumulating bad debt

Vulnerability Details

Reasons for the vulnerability:

Liquidators liquidate users in order to make profits.Assuming there is no profit to be made, then no one (including the admin) calls the fixUser function. For example, an account has $1,5,10 worth of collateral and multiple loanable tokens minted. The user is undercollateralized and must be liquidated at this time to ensure that the protocol remains overcollateralized. However, the current cost of natural gas is very high. Coupled with the gas required for function execution, the cost is greater than the benefit. The liquidator will not make a profit by liquidating this user. Eventually, these low-value accounts will never be liquidated, leaving the protocol with bad debt, and may even cause the protocol to become undercollateralized because enough low-value accounts become underwater.

related resources:

https://github.com/Cyfrin/2023-07-foundry-defi-stablecoin/issues/1096

Impact

1. Impact on users:

The protocol may be undercollateralized and may not allow users to redeem tokens, resulting in a complete loss of funds.

2. Impact on liquidators

The liquidator cannot liquidate users, causing the protocol to accumulate bad debts

3. Impact on the agreement:

If this vulnerability persists, attackers can choose to accumulate bad debts when gas is low. Market emergencies will cause gas to surge and the protocol will be paralyzed.

Tools Used

Manual review

Recommendations

One potential solution could be to only allow users to mint loanable tokens when the collateral value exceeds a certain threshold