Zaros Part 1

Summary

An error was discovered in the liquidateAccount function within the liquidation branch codebase. The issue stems from the improper calculation of the liquidation criteria, leading to potential inconsistencies in determining when an account should be liquidated. Specifically, the function only considers the requiredMaintenanceMarginUsdX18 without accounting for the liquidationFeeUsdX18, which results in a failure to accurately determine liquidation eligibility.

Vulnerability Details

Location: liquidateAccount function, liquidation branch codebase

Code Snippet:

Issue: The isLiquidatable check does not include the liquidationFeeUsdX18 in its calculation. The liquidation decision is based solely on requiredMaintenanceMarginUsdX18, which means that accounts that cannot cover both the required maintenance margin and the liquidation fee may not be liquidated as they should be.

Explanation: After liquidation, both requiredMaintenanceMarginUsdX18 and liquidationFeeUsdX18 are deducted from the account. Therefore, the liquidation criteria should consider the sum of these two values. Failing to do so can lead to scenarios where an account appears liquidatable based on the maintenance margin alone but cannot actually cover the additional liquidation fee, leaving the system unable to recoup the necessary fees.

Impact

The system may not recover the appropriate liquidation fees, leading to potential financial losses.

Tools Used

Manual Code Review: In-depth review of the relevant sections of code to ensure the accuracy of the liquidation criteria.

Unit Testing: Writing and running tests to validate the behavior of the liquidateAccount function under various scenarios.

Recommendations

Code Modification: Update the isLiquidatable check to include both requiredMaintenanceMarginUsdX18 and liquidationFeeUsdX18. The revised condition should be: