`stabilityPool` doesn't distribute the liquidation cost to all depositors
Summary
deTokens are minted 1-to-1 to deposited rToken amount. This mechanism doesn't allow the distribution of liquidation costs to be supported by all depositors.
Vulnerability Details
Users can deposit rTokens to StabilityPool and a 1-to-1 amount of deToken is minted.
When a borrower is liquidated, its debt is paid from the StabilityPool assets.
Note: there's another issue, reported in a separate submission, related to the wrong asset used to cover the debt. Fixing it doesn't resolve the issue described in this submission.
When a user withdraw, the amount of deToken redeemed is burned and the same amount of rTokens is transferred to user.
Because, after liquidations, StabilityPool will have less tokens than the sum of all deposits, not all depositors are able to withdraw their rTokens.
Impact
The liquidation cost is supported by last withdrawers.
Tools Used
Recommendations
StabilityPool should implement a share-based mechanism (instead of the 1-to-1 deToken minting) so that covered liquidation is supported by all StabilityPool depositors based on their contribution.
Lead Judging Commences
StabilityPool::getExchangeRate hardcodes 1:1 ratio instead of calculating real rate, enabling unlimited deToken minting against limited reserves
StabilityPool::getExchangeRate hardcodes 1:1 ratio instead of calculating real rate, enabling unlimited deToken minting against limited reserves
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.