Submission Details
Severity:
USDC in pools lead to significant loss for protocol/lenders
Summary and Vulnerability Details
It is mentioned in the contest page that USDC is allowed in the pools. Thus when liquidations are closed, there is a check to ensure that the remaining debt is small. This check is as follows:
if(userDebt <= 1e6) continue close liquidation;
But this is a problem for tokens like USDC, which means that for every liquidation a loss of $1 is taken by the lenders/protocol.
function closeLiquidation() external nonReentrant whenNotPaused {
address userAddress = msg.sender;
if (!isUnderLiquidation[userAddress]) revert NotUnderLiquidation();
// update state
ReserveLibrary.updateReserveState(reserve, rateData);
if (block.timestamp > liquidationStartTime[userAddress] + liquidationGracePeriod) {
revert GracePeriodExpired();
}
UserData storage user = userData[userAddress];
uint256 userDebt = user.scaledDebtBalance.rayMul(reserve.usageIndex);
=> // DUST_THRESHOLD = 1e6
if (userDebt > DUST_THRESHOLD) revert DebtNotZero();
Impact
many such closed liquidations will add up, and the lenders may not get paid the proper interest they are owed.
Tools Used
manual review
Recommendations
reduce the DUST_THRESHOLD to a more acceptable value.
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.