The finalizeLiquidation
function in LendingPool
executes liquidations based solely on time elapsed since initiation, without revalidating the user's current health factor. This allows liquidations to proceed even if a user has improved their position during the grace period, potentially leading to unnecessary loss of user funds(NFTs).
The vulnerability exists in the finalizeLiquidation
function in LendingPool
:
The issue stems from several critical oversights:
No Health Factor Revalidation:
The function doesn't call calculateHealthFactor(userAddress)
before executing the liquidation
It ignores any improvements in the user's position during the grace period.
The LendingPool
allows a user that is under liquidation(set by calling the initiateLiquidation
) to perform different actions such as:
Deposit additional NFTs (no restrictions while under liquidation)
Repay part or even the entire debt but do not call closeLiquidation
.
Both actions could improve their health factor above the liquidation threshold.
Another check missing in the finalizeLiquidation
function is: it accounts for all the user NFTs to pay the debt.
If the user has 4 NFTs, but 3 of them can cover his position, user will permanently lose the 4th NFT when he shouldn't even be liquidated.
Unfair liquidation of healthy positions.
Permanent loss of funds(NFTs) when unfair liquidations happen.
Manual Review
Add position revalidation before executing liquidation:
Additionally, the _repay
function should not allow a repayment from a user that:
Is under liquidation
The grace period expired.
Reason: Users who remain unhealthy after the grace period ends cannot call repay
to improve their health factor. This ensures they can be liquidated without the risk of front-running or DoS attacks that could block legitimate liquidations.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.