In contracts::core::pools::LendingPool::LendingPool.sol
, the finalizeLiquidation
function emits the LiquidationFinalized
event, including the user's collateral liquidated, after deleting user.nftTokenIds
. This results in getUserCollateralValue(userAddress)
returning 0
, misleading off-chain services relying on event emission.
In finalizeLiquidation
, the function processes liquidation by transferring NFTs, updating debt balances, and emitting the LiquidationFinalized
event. The last parameter of this event is collateralLiquidated
, which is the amount of collateral liquidated. Therefore, the function calls getUserCollateralValue(userAddress)
, which iterates over user.nftTokenIds
to compute collateral value. However, since getUserCollateralValue(userAddress)
is called after user.nftTokenIds
has been deleted, the function returns 0
instead of the actual collateral value.
In contracts/core/pools/LendingPool/LendingPool.sol#L511-L535
:
Since getUserCollateralValue
retrieves NFT prices by iterating user.nftTokenIds
, an empty array results in a 0
collateral value in the emitted event, leading to inaccurate data.
In contracts/core/pools/LendingPool/LendingPool.sol#L561-L572
:
Frontend or other off-chain services may display incorrect values, potentially misleading users.
Manual Review
Capture the user's collateral value before deleting user.nftTokenIds
:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.