Zaros Part 1

Zaros

DeFiFoundry

60,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

The check passed in the function isLiquidatable is flawed and defers from the actual check stated in the documentation, accounts that should be considered liquidatable are therefore not flaged for liquidation..

bigsam

Summary

The current implementation of the `isLiquidatable` function contains a flaw that prevents certain accounts from being flagged and liquidated as required. This incorrect implementation affects the timely liquidation of accounts and reduces the rewards obtained during liquidation events by the marginCollateralRecipient.

Vulnerability Details

The vulnerability lies in the implementation of the `isLiquidatable` function. According to the documentation, an account is considered liquidatable when: -- https://docs.zaros.fi/overview/products/perpetuals-dex/liquidation#liquidation-criteria:~:text=Liquidation-,Liquidation Criteria,requiredMaintenanceMargin,-Liquidation Mechanics

requiredMM + liquidationFeeUsd ≥ marginBalanceUsd

However, the code does not correctly check this condition. Instead, it only checks if `requiredMaintenanceMarginUsdX18` is greater than `marginBalanceUsdX18`:

/// @notice Checks if the account is liquidatable.

/// @param requiredMaintenanceMarginUsdX18 The required maintenance margin in USD.

/// @param marginBalanceUsdX18 The account's margin balance in USD.

function isLiquidatable(

UD60x18 requiredMaintenanceMarginUsdX18,

SD59x18 marginBalanceUsdX18

)

internal

pure

returns (bool)

{

@audit>> wrong check should be rmm+fee>balance >>>>> return requiredMaintenanceMarginUsdX18.intoSD59x18().gt(marginBalanceUsdX18);

}

This implementation allows for accounts that should be considered liquidatable by the keeper to be skipped when Function checkUpkeep is called.

Impact

Due to the flawed code implementation, some accounts that should be flagged and liquidated are not liquidated on time. This results in decreased rewards for marginCollateralRecipient as the ideal optimal opportunities are missed and lesser fees are obtained.

Tools Used

- Manual Solidity code analysis

- Documentation review

Recommendations

**Correct the `isLiquidatable` Logic**: Update the `isLiquidatable` function to correctly implement the condition specified in the documentation. The function should ensure that the required maintenance margin plus any applicable liquidation fee is compared against the margin balance.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Liquidation doesn't take the liquidation fee in consideration inside the isLiquidatable check

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,878

21 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.