Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Liquidation State Inconsistency Can Lead to Unfair Liquidations in lendingpool

anomX

Summary

The LendingPool contract has a vulnerability in its liquidation process where users who have repaid their debt can still be liquidated if they don't explicitly call closeLiquidation. Additionally, liquidators have an incentive to wait until after the grace period to call finalizeLiquidation as they will pay less for the liquidation.

Vulnerability Details

Source

LendingPool.sol#L468 - closeLiquidation function
LendingPool.sol#L496 - finalizeLiquidation function

The vulnerability stems from three key issues:

The liquidation state (isUnderLiquidation) is not automatically cleared when a user repays their debt
Users must manually call closeLiquidation even after full repayment
The grace period check in finalizeLiquidation allows liquidators to wait for better terms

function closeLiquidation(address userAddress) external nonReentrant {

if (!isUnderLiquidation[userAddress]) revert NotUnderLiquidation();

// update state

ReserveLibrary.updateReserveState(reserve, rateData);

if (block.timestamp > liquidationStartTime[userAddress] + liquidationGracePeriod) {

revert GracePeriodExpired();

}

UserData storage user = userData[userAddress];

uint256 userDebt = user.scaledDebtBalance.rayMul(reserve.usageIndex);

if (userDebt > DUST_THRESHOLD) revert DebtNotZero();

isUnderLiquidation[userAddress] = false;

liquidationStartTime[userAddress] = 0;

emit LiquidationClosed(userAddress);

}

Proof of Concept

Scenario 1 - User Repays But Forgets to Close Liquidation:

User's position becomes liquidatable
User repays their debt through the repay function
User doesn't call closeLiquidation
Liquidator can still call finalizeLiquidation after grace period
User loses their NFTs despite having repaid the debt

Scenario 2 - Liquidator Waits for Grace Period :

User's position becomes liquidatable
Liquidator waits until after grace period
Calls finalizeLiquidation
Gets NFTs at a potentially lower price due to market conditions
Original user suffers greater losses

Impact

Users can lose collateral even after debt repayment
Liquidators can game the system by waiting for grace period expiration
Creates unfair advantages for liquidators
Users may lose more value than necessary in liquidations

Tools Used

Manual code review

Recommendations

Automatically clear liquidation state on full repayment:

function _repay(uint256 amount, address onBehalfOf) internal {

// ... existing code ...

if (user.scaledDebtBalance == 0) {

+ isUnderLiquidation[onBehalfOf] = false;

+ liquidationStartTime[onBehalfOf] = 0;

+ emit LiquidationClosed(onBehalfOf);

}

Consider removing the manual closeLiquidation requirement and make it automatic based on debt status.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

A borrower can LendingPool::repay to avoid liquidation but might not be able to call LendingPool::closeLiquidation successfully due to grace period check, loses both funds and collateral

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!