Summary

Vulnerability Details

The MErc20DelegateFixer contract includes a function fixUser() function intended to liquidate a portion of the user's tokens. The amount to be liquidated is determined by the user's current token balance accountTokens[user]. A user might be trying to maximize their potential profits or minimize losses from holding onto their tokens for as long as possible.

A malicious user anticipating a liquidation due to their debts monitors the transaction pool for an incoming fixUser call targeting their account. Upon detecting such a transaction, the user initiates a withdraw or token transfer moving a significant portion of their balance to another account. This transaction is submitted with a higher gas fee to ensure it is processed before the liquidation.
The liquidation transaction fixUser is then processed but the user's balance has already been reduced resulting in a lower liquidation amount or complete evasion.

This directly affects the contract's ability to enforce debt obligations.

Impact

This vulnerability allows a user with outstanding debts to evade token liquidation by front-running the fixUser function with a transfer of their tokens before the liquidation transaction is processed.

Tools Used

Manual Review

Recommendations

Restructure the contract logic to delay any transfers during the liquidation process.