Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Liquidation Risks & DOS Attack

bareli

Summary

initiateLiquidation() marks a user as under liquidation, but there's no safeguard against spam liquidations.

Attackers can lock users in liquidation mode maliciously.

Vulnerability Details

function initiateLiquidation(address userAddress) external nonReentrant whenNotPaused {
if (isUnderLiquidation[userAddress]) revert UserAlreadyUnderLiquidation();
// update state
ReserveLibrary.updateReserveState(reserve, rateData);
UserData storage user = userData[userAddress];
uint256 healthFactor = calculateHealthFactor(userAddress);
if (healthFactor >= healthFactorLiquidationThreshold) revert HealthFactorTooLow();
isUnderLiquidation[userAddress] = true;
liquidationStartTime[userAddress] = block.timestamp;
emit LiquidationInitiated(msg.sender, userAddress);
}

Impact

Tools Used

Recommendations

Require that liquidators stake tokens to participate.

Charge a small fee for failed liquidations.

Add a minimum delay between liquidations.

mapping(address => uint256) public lastLiquidationAttempt;

uint256 public constant MIN_LIQUIDATION_DELAY = 1 hours;

function initiateLiquidation(address userAddress) external nonReentrant whenNotPaused { require( block.timestamp > lastLiquidationAttempt[userAddress] + MIN_LIQUIDATION_DELAY, "Liquidation too frequent" );

lastLiquidationAttempt[userAddress] = block.timestamp; ... }

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Lack of quality
inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.