Summary

The liquidation process deducts the maintenance margin, liquidation fee, and a calculated unrealized PnL from the user's account without any explicit mechanism to return any leftover collateral. This behavior results in the complete depletion of the user's margin, even if excess funds remain that are not strictly required to cover the liquidation costs.

Vulnerability Details

Within the liquidateAccounts(...) function, the protocol calls tradingAccount.deductAccountMargin to remove the necessary funds from the user's collateral. The code snippet below illustrates this process:

The lack of an obvious redistribution or refund mechanism for any remaining margin implies that, if the user had more collateral than the sum of the maintenance margin, fees, and perceived losses, the excess is not returned. This could essentially zero out the user's collateral even when they held a surplus.

Impact

• User Fund Losses: Liquidated traders might lose extra collateral beyond what is necessary to cover their liabilities, unfairly penalizing them.

• Incentive Misalignment: The absence of a refund mechanism for excess margin funds could reduce user confidence in the protocol, as traders may feel their funds are being taken unnecessarily.

• Protocol Fairness: Without clear rules on the redistribution of leftover funds, there can be ambiguity in margin accounting, leading to potential disputes and a lack of trust in the liquidation process.

Tools Used

• Manual Code Review: A thorough inspection of the liquidation logic in the LiquidationBranch.sol was conducted.

• Static Analysis: Automated tools were used to trace fund flows and detect discrepancies in collateral handling.

• Integration Testing: Test scripts simulating liquidation scenarios helped identify that excess margin was not being redistributed.

Recommendations

• Implement a Refund Mechanism: Adjust the liquidation logic to explicitly calculate and refund any leftover margin back to the liquidated user. This would involve:

  • Determining the exact surplus after deducting required amounts.

  • Safely crediting the surplus back to the user's account.

• Enhance Documentation: Clearly document the intended behavior regarding any surplus margin so that users understand what happens to their collateral during liquidation.

• User Notifications: Consider emitting additional events that detail the amount of leftover margin credited back to users for better transparency.

• Thorough Testing: Develop comprehensive tests to cover scenarios where the deducted margin is less than the total available funds, ensuring that the refund mechanism operates correctly without introducing new vulnerabilities.