Manual crvUSD Dependency Renders Liquidations Unreliable and Admin-Dependent
Summary
Vulnerability Details
In the current StabilityPool implementation, the liquidation process is entirely dependent on administrative intervention. Specifically, when a user is liquidated, the contract lacks an automated mechanism to receive or manage crvUSD tokens needed for finalizing liquidation. As a result, an admin must manually supply the required crvUSD tokens to complete the liquidation process. This dependency on admin action delays liquidations potentially leading to operational inefficiencies.
The contract checks for the crvUSD token balance using:
Since there is no mechanism in place to automatically acquire or hold the necessary crvUSD tokens within the contract, the balance is typically insufficient. Consequently, the admin is forced to manually transfer the required crvUSD tokens to the contract to ensure that the liquidation can be finalized.
Impact
Liquidations fully dependent on admin manually send the required crvUSD tokens, which can delay the resolution of undercollateralized positions.
Tools Used
Manual Review
Lead Judging Commences
StabilityPool design flaw where liquidations will always fail as StabilityPool receives rTokens but LendingPool expects it to provide crvUSD
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.