Submission Details
Severity:
Liquidations will be impossible as we are depositing a wrong token
Summary
Liquidations will be impossible as we are depositing a wrong token
Vulnerability Details
Upon depositing in the StabilityPool, we send RTokens:
rToken.safeTransferFrom(msg.sender, address(this), amount);
However, when liquidations are supposed to be done, they have the following check:
uint256 crvUSDBalance = crvUSDToken.balanceOf(address(this));
if (crvUSDBalance < scaledUserDebt) revert InsufficientBalance();
As we do not deposit crvUSD tokens and there is no reason for such tokens to be in the contract, the liquidations will be impossible.
Impact
Liquidations won't work which is detrimental for the protocol
Tools Used
Manual Review
Recommendations
Liquidations are done with crvUSD so refactor the code to handle it properly
Updates
Lead Judging Commences
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
StabilityPool design flaw where liquidations will always fail as StabilityPool receives rTokens but LendingPool expects it to provide crvUSD
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.