Not handling badDebt correctly leads to unfair losses for last withdrawals
Summary
Currently the liquidation is handled by the owner/manager. This is fine as long as the liquidation is profitable. But once badDebt starts to occur, (which is pretty common since houses depreciate in value very fast), this liquidation wont be profitable. Thus when such a state reaches that many positions with badDebt are not closed, the last lenders to withdraw will face the complete loss of funds.
Vulnerability Details
Take the following example
There are 2 lenders, both deposited 100 tokens
A borrower comes and borrows 70 tokens keeping 100 token worth NFT as collateral
The collateral value comes down to 50.
The owner/manager refuses to liquidate such a position(note this is an example, realistically the owner will refuse when there are too many of such positions created: for ex during a housing price crash)
1 of the lenders comes and withdraws his 100 tokens. (this is possible since there is no accounting for baddebt that can be done as of now)
The second lender will have to withdraw the remaining 30 tokens only. Thus taking the entire bad debt loss
Impact
Last few withdrawals will face the burden of baddebt
Tools Used
manual Review
Recommendations
Implement a system to handle bad debt properly.Such that the losses are taken proportional to the deposited amount, instead of first come first serve.
Lead Judging Commences
LendingPool vulnerable to bank run as first-come-first-served withdrawal model lacks loss socialization, allowing early withdrawers to escape while late ones bear losses
LendingPool vulnerable to bank run as first-come-first-served withdrawal model lacks loss socialization, allowing early withdrawers to escape while late ones bear losses
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.