Once User Helthfactor goes beyound thresold, then he forced to either closed his position or get liquidated
Summary
Vulnerability Details
This Protocol Use a strange approch to Deal with Position.
-
Let Alice deposit a Nft and borrowed against it
-
Once Nft price dropped and health factor goes beyound `liquidation thresold`, then any other User can register Alice for liquidation by calling
initiateLiquidation() -
After that Alice only has Grace Period(currently 3 days) time to pay his DEBT, or anyone to pay his DEBT
-
(Generally in this type of situation other protocol allow User to deposit more collateral so that their Healthfactor move up from thresold and there survive from Liquidation ) But RAAC does do have this type of implementation. Even at this moment Alice can deposit more NFT as Collateral, those are not taken into Health Factor calculation , moreover these token will be get liquidated (explaining below)
-
Another method Alice will Use
repay() or repayOnBehalf(), But problem here is that here Alice has to pay all his debt(Generally in other protocol user can pay some amount of Debt so that their Health factor move up Thresold and they survive liquidation). Even If Alice pay his large chunk of Debt, and his HealthFactor recovered above Liquidation thresold, he not escape from liquidation -
When grace period ended, StabilityPool call
LendingPool :: finalizeLiquidation(), This function never check for Health Factor of Alice only check whether User (Alice) registered for liquidation or not, and pay for Alice Debt and take all NFT of Alice.
Here major flaw present in this type of approch, and its quite different from Defi industry approch. It may give bad experience Users
I try to summarize all issues below although i mentioned some above.
-
Not Updating User's State`(isUnderLiqudation[])` once user deposit more collateral
In DeFi its always possible that User Health factor goes beyound Liquidation thresold due to quick assets price fluctuation. It doesn't mean we force user to pay DEBT or liqudate him
During this situation Protocol should give option to User to add more collateral make his position safe
-
Forcing User to pay all Of his DEBT within limited time
RAAC force User to pay all of his DEBT(excluding some DUST) withing 3days(present time) to survive from liquidation
Althogh RAAC allow User to pay any amont as DEBT repayment, but by calculating health factor status of `isUnderLiqudation[]` never changed, even if user has debt just more than DUST (> 1e6) whole position will be liquidated and All NFTs of user send to stability pool
-
During Finalizing Liquidation process RAAC never check Health Factor to ensure at current moment User is liquidatable or not, it just only check status of `isUnderLiqudation[]` mapping (i explained above how this state and this will affect) and liquidate position and all User NFTs sent to stability pool.
Impact
User experience will be impacted
Tools Used
Manual Review
Recommendations
All issue will be resolve by one simple step
-
during finalizing liquidation, Raac only need to check current health factor of User
-
if Health factor is above Liqudation stop liquidation and set
-
isUnderLiquidation[userAddress] = false;liquidationStartTime[userAddress] = 0;
Lead Judging Commences
LendingPool::finalizeLiquidation() never checks if debt is still unhealthy
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.