Outdated debt value fetched from StabilityPool during liquidations
Vulnerability Details
When liquidating a user through StabilityPool::liquidateBorrower() the user's debt is fetched from the LendingPool.
But before this fetch there is no update of the lending pool to make sure the latest debt accrued debt since last interaction with the LendingPool is accounted for. See there is no code before the fetching here.
Note: the
_update()just calls RAACMinter, which does not update lending pool at any time. Only eventually calls lending pool getNormalizedDebt to calculate the utilization rate, here. But this function does not udpate the lending pool, just returns the debt index, see here.
Impact
Incorrect debt payed to liquidate users. Smaller than it should be.
Also liquidations will probably revert if the debt increased even just 1 wei since the last interaction with the LendingPool. This is because StabilityPool approves just the amount fetched before calling finalizeLiquidation(), see here.
Yet inside LendingPool::finalizeLiquidation() the update of the interest is carried out (here), likely leading to a transfer from with a higher amount than the approved one, here.
The value is clearly outdated and it either allows cheaper liquidations or reverts them.
Recommendations
Call LendingPool::updateState() at the beginning of StabilityPool::liquidateBorrower():
Lead Judging Commences
StabilityPool: liquidateBorrower should call lendingPool.updateState earlier, to ensure the updated usageIndex is used in calculating the scaledUserDebt
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.