`checkLiquidatableAccounts()` returns incorrect result
Summary
Function LiquidationBranch.checkLiquidatableAccounts() is used by Keeper to perform health checks. This function returns array of accountIds which Keeper then liquidates.
Problem is that it uses incorrect index to populate that array of accountIds.
Vulnerability Details
Here you can see that loop variable i has prefix of lowerBound. However in the end it forgets to account prefix:
https://github.com/Cyfrin/2024-07-zaros/blob/d687fe96bb7ace8652778797052a38763fbcbb1b/src/perpetuals/branches/LiquidationBranch.sol#L83
So basically consider scenario:
Keeper is configured to check accounts in bounds
lowerBound = 5andupperBound = 10.liquidatableAccountsIdsarray will have length10 - 5 = 5.In the very first operation it will try to set value to index 5, so it will revert due to out-of-bounds error.
Impact
As you can see checkLiquidatableAccounts() will revert when lowerBound > 0 - this is intended usage. Liquidation Keeper uses this function to track whether accounts are unhealthy:
https://github.com/Cyfrin/2024-07-zaros/blob/d687fe96bb7ace8652778797052a38763fbcbb1b/src/external/chainlink/keepers/liquidation/LiquidationKeeper.sol#L58
So as a result Keeper fails to track liquidateable accounts. Inability to track liquidateable accounts is obviously High risk issue.
Tools Used
Manual Review
Recommendations
Lead Judging Commences
`LiquidationBranch::checkLiquidatableAccounts()` executes `for` loop where `liquidatableAccountsIds[i] = tradingAccountId;` gives out of bounds if `lowerBound != 0`
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.