Liquidation reverts if one of the accounts has a blacklisted collateral (USDT and/or USDC)
Summary
The liquidation process handle an array of accounts that needs to be liquidated to maintain the protocol healthy but if a single one has it collateral blacklisted (USDC or USDT) all the transaction will fail when safeTransfer fees to the recepient
Vulnerability Details
The branch LiquidationBranch has a method liquidateAccounts([] accountsIds) that handles accounts liquidation, the problem is that if a single account of the array has a collateral that is blacklisted it will revert the safeTransfer method when sending the fee to the fee recipient. The stack trace would be:
Impact
Protocol can't liquidate an account that has it collaterals blacklisted (USDT and/or USDC). Also the liquidation process accept many account to liquidate, in that case if only one is blacklisted the liquidation will fail for all accounts and the protocol will be unhealthy.
Tools Used
VS Code
Recommendations
An account can have more collaterals that are not blacklisted so the process instead of revert could continue to see if can liquidate with the next collateral asset in the loop and that way could liquidate the blacklisted account properly and don't harm the other accounts liquidation. Another less fancy solution could be to detect account with blacklisted collateral and don't liquidate them.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.