Summary

The liquidation process does not enforce a minimum liquidation amount, which can lead to the processing of extremely small (dust) positions. This inefficiency can result in disproportionate gas consumption relative to the liquidation size, and may also be exploited by malicious liquidators to force unnecessary liquidations on small positions.

Vulnerability Details

Within the liquidateAccounts(...) function, the protocol calls tradingAccount.deductAccountMargin as shown in the snippet:

In this implementation, there is no safeguard to prevent the liquidation of very small amounts. This means that even dust-sized positions can be liquidated, leading to inefficient gas usage. Moreover, a malicious liquidator might exploit this by repeatedly liquidating small positions to unnecessarily incur gas costs or to disrupt normal liquidation behavior for traders with minor positions.

Impact

• Gas Inefficiency: Liquidating small positions can lead to gas consumption that is not economically justified, making the process inefficient for liquidators.

• Exploitation Risk: Malicious actors might target dust positions for strategic reasons, possibly leading to a higher frequency of liquidations on trivial amounts.

• User Impact: Traders with small positions may face repeated, inefficient liquidations, potentially increasing transaction costs and overall losses.

Tools Used

• Manual Code Review: A detailed inspection of the liquidation flow in LiquidationBranch.sol uncovered the absence of a minimum liquidation amount check.

• Static Analysis Tools: Automated tools were used to trace fund flow and identify areas where minimum thresholds could enhance efficiency.

• Simulation Testing: Scenarios were simulated to analyze gas costs relative to very small liquidation amounts, confirming the potential inefficiency.

Recommendations

• Introduce a Minimum Liquidation Threshold: Implement a check that prevents the liquidation process from proceeding if the collateral or position size is below a pre-defined minimum value. For example:

  require(

  collateralAmount >= MIN_LIQUIDATION_AMOUNT,

  "Liquidation amount below minimum threshold"

  );

• Dynamic Threshold Adjustment: Consider implementing dynamic minimum thresholds based on market conditions and gas prices to maintain economic efficiency.

• Document Behavior: Clearly document the minimum liquidation requirements in protocol documentation and user interfaces, so that liquidators and traders are aware of the bounds.

• Thorough Testing: Develop and execute tests to ensure that the minimum threshold logic prevents dust liquidations without affecting legitimate liquidation events.