Unfair Collateral Seizure Despite Full Debt Repayment Due to Manual Liquidation Closure Requirement
Summary
The protocol allows collateral to be seized even after a user fully repays their debt if they fail to manually call `closeLiquidation`. This design flaw forces users to take an unnecessary extra step to protect their assets, unfairly penalizing compliant borrowers.
Vulnerability Details
Manual Closure Requirement: Full repayment does not automatically terminate liquidation status, instead users must explicitly call
closeLiquidationafter repayment to avoid collateral seizure.Also,
closeLiquidationis callable only by the user, preventing third-party/bot assistance.Upon Full Repayment of loan, we should have a Auto-Close Mechanism.
Faulty Workflow
1.User Repays Full Debt:
2.Liquidation Finalization Still Possible:
Impact
High Severity (Direct Financial Loss + Protocol Trust Erosion):
Collateral Theft: Users lose assets despite fulfilling obligations
UX Hazard: Relies on user awareness of obscure manual step
Reputational Damage: Perceived as predatory protocol behavior
Recommendations:
-
Either: Access Control Expansion
Allow trusted keepers (e.g., Chainlink Automation) to call
closeLiquidation
-
Or, Modify the repayment logic to auto-close liquidations when debt is fully repaid:
function \_repay(...) internal {// Existing repayment logicif (user.scaledDebtBalance == 0) {\_closeLiquidation(onBehalfOf); // Auto-trigger closure}}
Lead Judging Commences
A borrower can LendingPool::repay to avoid liquidation but might not be able to call LendingPool::closeLiquidation successfully due to grace period check, loses both funds and collateral
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.