First Flight #21: KittyFi

First Flight #21

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Incorrect Liquidation Execution in `KittyPool::purrgeBadPawsition`

esoetheric

Summary

The KittyPool::purrgeBadPawsition function in KittyPool.sol is intended to liquidate the bad debt position of a user. However, there is a critical issue with the executeWhiskdrawal call within the loop over vaults. The function currently attempts to withdraw collateral from the liquidator (caller of purrgeBadPawsition) rather than from the user with the bad position. This misbehavior leads to incorrect asset transfers and a failure to properly liquidate the user's debt.

Vulnerability Details

for (uint256 i; i < vaults_length; ) {

IKittyVault _vault = IKittyVault(vaults[i]);

uint256 vaultCollateral = _vault.getUserVaultMeowllateralInEuros(_user);

uint256 toDistribute = vaultCollateral.mulDiv(redeemPercent, PRECISION);

uint256 extraCollateral = vaultCollateral - toDistribute;

uint256 extraReward = toDistribute.mulDiv(REWARD_PERCENT, PRECISION);

extraReward = Math.min(extraReward, extraCollateral);

_totalAmountReceived += (toDistribute + extraReward);

> _vault.executeWhiskdrawal(msg.sender, toDistribute + extraReward);

unchecked {

++i;

}

Impact

Since forced liquidations are not functioning, the protocol will continue to accumulate bad debt. Additionally, a user attempting to liquidate another's bad position risks wasting gas without success, or if they have sufficient cattynip, they will see their shares of various vaults spent as if they intended to withdraw.

Tools Used

Manual review.

Recommendations

The problem is quite extensive. I believe a solution which doesn't involve heavy refactoring should start from rewriting the problematic loop in purrgeBadPawsition and the subsequent creation of a specific liquidation function in the vaults that avoids using executeWhiskdrawal. This new function could take as arguments the address of the user to be liquidated, the address of the liquidator, redeemPercent, and REWARD_PERCENT. The new function should check how much cattynip the user being liquidated has in the vault, burn the proper amount, and then send the collateral to the liquidator.

Updates

Lead Judging Commences

shikhar229169 Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

`purrgeBadPawsition` doesn't reward the liquidator instead perform withdrawal of their own collateral or lead to a DoS

Rewards breakdown

nSLOC

224

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.