The user can still be liquidated even if his collateral value is more than the debt value.
Summary
The user can still be liquidated even if his collateral value is more than the debt value because of missing health factor checks in the liquidation function.
Vulnerability Details
Let's say that the collateral value of a user went down and thus the user's position is liquidatable. Someone calls initiateLiquidation on them. isUnderLiquidation[userAddress] is true for the user now.
But, during the grace period, their collateral again increases in value so that their health factor is now safe again.
However, the user can still be liquidated, as the finalizeLiquidation function is not checking for the user's health factor again. Either this can happen or the user will be forced to completely pay back his debt by calling closeLiquidation, even when his collateral value was more than the debt value (after the increase in his collateral value).
Because of a lack of health factor checks, even if the user's collateral is higher than the debt and if his health factor is greater than 1, the user would still be losing his NFTs due to liquidation.
Impact
Users will be liquidated even if their health factor is safe, thereby losing all their NFTs.
Tools Used
Manual review
Recommendations
The finalizeLiquidation function should check for the health factor of the user and should revert in the case the health factor is safe.
Lead Judging Commences
StabilityPool: liquidateBorrower should call lendingPool.updateState earlier, to ensure the updated usageIndex is used in calculating the scaledUserDebt
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.