Unrestricted health factor adjustment leads to potential insolvency
Summary
The setParameter() in BoostController.sol allows the contract owner to set the healthFactorLiquidationThreshold to 0, effectively disabling the liquidation process. While the likelihood of this happening is small, as the owner is assumed to be a trusted role, it still poses a significant risk to the protocol’s solvency.
Vulnerability Details
The setParameter function allows the contract owner to modify various protocol parameters, including healthFactorLiquidationThreshold. There is no validation to ensure that healthFactorLiquidationThreshold is at least equal to BASE_HEALTH_FACTOR_LIQUIDATION_THRESHOLD. If set to 0, the liquidation condition in initiateLiquidation will never be met, preventing any liquidation from occurring.
If healthFactorLiquidationThreshold == 0, then healthFactor >= 0 is always true, preventing all liquidations.
Impact
If liquidations are disabled:
Bad debt accumulation: Borrowers can take out loans and never face liquidation, leading to potential protocol insolvency.
Protocol collapse: If too many bad loans accumulate, the protocol may become undercollateralized.
PoC
Contract owner calls:
A borrower takes a loan and allows their collateral to drop below safety levels.
Any attempt to liquidate the borrower will fail due to:
Since healthFactorLiquidationThreshold is 0, liquidation is impossible.
Tools Used
Manual review
Recommendations
A validation check should be added to setParameter to prevent healthFactorLiquidationThreshold from being set below BASE_HEALTH_FACTOR_LIQUIDATION_THRESHOLD:
This ensures that liquidations remain functional and protects the protocol from insolvency.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.