Healthy Users Liquidated
Summary
In the LendingPool.sol contract the finalizeLiquidation function does not check if the user is still "unhealthy" after the grace period has expired, which can lead to unfair liquidations.
Vulnerability Details
The vulnerability arises from the lack of a health factor check in the finalizeLiquidation function after the grace period has expired. If a user's health factor improves due to factors such as a price increase or partial repayment, they should not be subject to liquidation. However, the current implementation allows the stability pool to finalize the liquidation without re-evaluating the user's health factor.
Impact
Users who manage to improve their health factor during the grace period can still be unfairly liquidated because the stability pool does not re-check their health status before finalizing the liquidation. This can lead to unnecessary loss of collateral for users who have taken steps to rectify their position, undermining user trust and the fairness of the protocol.
Tools Used
Manual Review
Recommendations
To mitigate this vulnerability, update the finalizeLiquidation function to include a check for the user's health factor before finalizing the liquidation. This ensures that only users who are still "unhealthy" after the grace period are subject to liquidation. The updated function should look like this:
This change will prevent unfair liquidations and ensure that users who improve their health factor are not penalized.
Lead Judging Commences
LendingPool::finalizeLiquidation() never checks if debt is still unhealthy
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.