Zaros Part 1
Zaros
DeFiFoundry
60,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

faulty implementation of checkLiquidatableAccounts

0xleadwizard

Description

The checkLiquidatableAccounts takes a two-parameter lowerBound and upperBound representing a range in globalConfiguration.accountsIdsWithActivePositions and checks if the accounts in that range are liquidatable, and if they are return tradingAccountId in an array named liquidatableAccountsIds

The issue comes in how the implementation for initializing value is done for liquidatableAccountsIds array.

// account can be liquidated if requiredMargin > marginBalance
if (TradingAccount.isLiquidatable(requiredMaintenanceMarginUsdX18, marginBalanceUsdX18)) {
// @audit [high] It should be liquidatableAccountsIds[i - lowerBound] = tradingAccountId;
liquidatableAccountsIds[i] = tradingAccountId;
}

The value of i defined by

// iterate over active accounts within given bounds
for (uint256 i = lowerBound; i < upperBound; i++) {...}

Hence liquidatableAccountsIds[i] should be liquidatableAccountsIds[i - lowerbound] otherwise, the initialization will throw the array out-of-bounds anytime the lowerBound != 0


Impact

checkLiquidatableAccounts is a critical function since it's going to be called by the keepers who are going to liquidate positions, and it reverting means there will be no liquidation happening.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

`LiquidationBranch::checkLiquidatableAccounts()` executes `for` loop where `liquidatableAccountsIds[i] = tradingAccountId;` gives out of bounds if `lowerBound != 0`

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.