Core Contracts

Summary

A vulnerability in the closeLiquidation() function allows users to close their liquidation position while still maintaining debt of up to 1 USD due to an incorrectly used dust threshold check. This could be exploited by multiple users to extract value from the protocol through accumulated unpaid debts.

Vulnerability Details

The issue is in closeLiquidation():

The function allows a user to close their liquidation if their remaining debt is less than or equal to 1 USD (DUST_THRESHOLD). This threshold is too high for this purpose, as:

• It allows users to keep significant unpaid debt (up to 1 USD), especially when accumulated over a lot of users

• The debt check allows any amount ≤ 1 USD when it should require zero or near-zero debt

• This function is meant to verify full debt repayment before closing liquidation, not to handle dust amounts

Impact

The vulnerability allows malicious users to:

• Get liquidated

• Repay just enough to get under 1 USD debt

• Close their liquidation

• Escape liquidation while still owing money to the protocol

This can be exploited by multiple users to accumulate significant protocol losses:

100 users exploiting this = up to 100 USD lost
1000 users = up to 1000 USD lost
Each instance also prevents proper liquidation of the NFT collateral

Tools Used

Manual code review

Recommendations

• Remove or significantly reduce the dust threshold for closing liquidations:

  // Option 1: Require exact zero debt

  if (userDebt != 0) revert DebtNotZero();

  ​

  // Option 2: Use much smaller dust threshold if needed for rounding

  uint256 private constant LIQUIDATION_DUST_THRESHOLD = 1e2; // $0.0001

  if (userDebt > LIQUIDATION_DUST_THRESHOLD) revert DebtNotZero();

• Reduce DUST_THRESHOLD to a much smaller value (e.g., $0.0001 instead of $1)

• Require zero debt for liquidation closure unless a justified rounding dust threshold is required