`StabilityPool::liquidateBorrower` always fail to liquidate borrower because of `InsufficientBalance()` error
Summary
when liquidating bad debt, anyone can call LendingPool::initiateLiquidationand after some time (grace period), if the borrower does not repay, the borrower NFT would be liquidated by StabilityPoolowner or manager by calling liquidateBorrower. But the function have an error where it checks StabilityPool's asset token balance against the current debt amount, but as we know the contract itself does not held any asset token.
Vulnerability Details
lets check the liquidateBorrower:
the function check if the Stability pool asset token balance is lower than the scaledUserDebtthen the call revert.
this statement always return true, because the Stability pool contract itself does not handle asset token, instead it handle RToken. the correct contract that held the asset token is the RToken contract address.
so everytime owner or manager of stability pool try to liquidate borrower, the function always revert.
Impact
bad debt borrower's collateral cant be liquidated, this would affect the overall system state.
Tools Used
manual review
Recommendations
check the RToken address of the asset token balance it held, and then use transferFrom the amount needed to cover the debt into Stability pool contract. now the contract can safely call LendingPool::finalizeLiquidation
Lead Judging Commences
StabilityPool design flaw where liquidations will always fail as StabilityPool receives rTokens but LendingPool expects it to provide crvUSD
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.