Zaros Part 1
Zaros
DeFiFoundry
60,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

checkLiquidatableAccounts returns incomplete list of accounts for liqudations

meeve

Summary

checkLiquidatableAccounts returns incomplete list of accounts for liqudations from provided bounds.

Vulnerability Details

The checkLiquidatableAccounts function is used to retrieve a list of accounts that should be liquidated. It receives two parameters lowerBound and upperBound, so it should return accounts from the given range. But because of the condition in the for loop

for (uint256 i = lowerBound; i < upperBound; i++)

it omits element in the last position ( accountsIds[upperBound] ).

Zaros implemented very similar method named "getAccountsWithActivePositions" (GlobalConfigurationBranch), where they calculate it correctly

for (uint256 i = lowerBound; i <= upperBound; i++)

Note the difference in comparison operator < vs <= (They also define different array size)

Impact

Protocol use this function to get a list of accounts to be liquidated. Omitting such an account means that the collateral will not be sufficient to cover the losses, resulting in protocol losses

Tools Used

Manual review

Recommendations

Use similar implementation as in getAccountsWithActivePositions

Updates

Lead Judging Commences

inallhonesty Lead Judge
over 1 year ago
inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice

Appeal created

meeve Submitter
over 1 year ago
inallhonesty Lead Judge
over 1 year ago
inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!