Core Contracts

Vulnerability Details

The StabilityPool contract allows designated managers to initiate liquidation processes for borrowers whose loans are undercollateralized or otherwise at risk. However, the current implementation does not explicitly prevent a manager from initiating the liquidation of their own debt. This oversight could potentially allow a manager to manipulate the liquidation process to their advantage, especially if they can influence the conditions under which their own debt is liquidated.

Impact

The ability for a manager to liquidate their own debt introduces several risks:

1. Conflict of Interest: Managers could manipulate liquidation terms or timing to minimize their losses or maximize their gains at the expense of other protocol participants.

2. Financial Exploitation: If managers can affect the price or other critical parameters, they might liquidate their positions under favorable conditions, potentially leading to losses for the protocol or other users.

3. Loss of Integrity and Trust: Allowing managers to liquidate their own debts undermines the trustworthiness and integrity of the lending platform, as users may perceive the platform as being susceptible to insider manipulation.

Recommendations

1. Restrict Self-Liquidation : Modify the liquidateBorrower() function to prevent managers from initiating the liquidation of their own debts. This can be achieved by adding a check to ensure that msg.sender is not equal to userAddress.

Here’s a proposed modification to the liquidateBorrower() function: