Submission Details
Severity:
Incorrect Health Factor Scaling Triggers False Liquidations
Summary
The calculateHealthFactor function uses 1e18 scaling instead of RAY (1e27), miscalculating health factors and causing unwarranted liquidations.
Vulnerability Details
The health factor formula uses 1e18 for scaling, but the protocol uses RAY (1e27) for precision. This underreports health factors by 1e9, leading to premature liquidations.
/**
* @notice Calculates the user's health factor
* @param userAddress The address of the user
* @return The health factor (in RAY)
*/
function calculateHealthFactor(address userAddress) public view returns (uint256) {
uint256 collateralValue = getUserCollateralValue(userAddress);
uint256 userDebt = getUserDebt(userAddress);
if (userDebt < 1) return type(uint256).max;
uint256 collateralThreshold = collateralValue.percentMul(liquidationThreshold);
// @audit should be using 1e27 instead of 1e18 this can cause false liquidation
return (collateralThreshold * 1e18) / userDebt;
}
Impact
False Liquidations: Users with sufficient collateral are liquidated.
Loss of Funds: Liquidated users lose NFTs at undervalued prices.
Tools Used
manual review
Recommendations
Use WadRayMath.RAY (1e27) for scaling:
return collateralThreshold.rayDiv(userDebt);
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.