Not updating the lending pool upon a liquidation will be problematic
Summary
Not updating the lending pool upon a liquidation will be problematic
Vulnerability Details
To finalize a liquidation, StabilityPool::finalizeLiquidation() must be called where we have the following 2 lines as the first lines of the function:
The issue is that both of them are using the debt index of the lending pool however as the index was not updated, then these 2 values will be incorrect and outdated, it doesn't include the latest interest that should be accrued. Then, at the end of the function we have these 2 lines:
We update the pool then but it is of no use as firstly, finalizeLiquidation() will update it anyway and secondly, we already used the out-of-sync values to compute the debt to repay.
Impact
Using an outdated debt will result in the liquidation to fail as we won't be fully repaying the debt
Tools Used
Manual Review
Recommendations
Update the pool at the beginning of the function
Lead Judging Commences
StabilityPool: liquidateBorrower should call lendingPool.updateState earlier, to ensure the updated usageIndex is used in calculating the scaledUserDebt
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.