Zaros Part 1

Zaros

DeFiFoundry

60,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

TradingAccount::isLiquidatable is not consistent with the protocol documentation

tutkata

Summary

The function TradingAccount::isLiquidatable is not implemented as it is described under https://docs.zaros.fi/overview/products/perpetuals-dex/liquidation#liquidation-mechanics

Vulnerability Details

For a liquidation to occur, the function TradingAccount::isLiquidatable() is called, where the following condition is checked:

requiredMaintenanceMarginUsdX18.intoSD59x18().gt(marginBalanceUsdX18). In other words, if requiredMM > marginBalance, then the user can be liquidated.

The documentation states another condition for a user to be liquidated. The user can be liquidated if requiredMM + liqFee >= marginBalance.

Impact

The implemented liquidation condition is more stringent than the one decribed in the documentation. Users can be unjustly liquidated, leading to a loss of trust in the protocol.

Tools Used

Manual Review

Recommendations

Keep the condition for liquidation consistent throughout the documentation and code.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Liquidation doesn't take the liquidation fee in consideration inside the isLiquidatable check

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,878

21 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.