Stratax Contracts
First Flight #57
Beginner FriendlyDeFi
100 EXP
View all submissions
Previous Next
Submission Details
Impact: high
Likelihood: high

Shared Liquidity Risk: Global Health Factor Leads to Cross-User Liquidation

Author Revealed upon completion

Description:

The protocol merges all user collateral and debt into a single Aave position by using address(this) as the position owner. In DeFi, this creates a "Shared Liquidity" flaw. Since Aave calculates a single Health Factor for the entire contract, the risky behavior of one user (e.g., using maximum leverage) can drop the global Health Factor below 1.0.


// Root cause in the codebase with @> marks to highlight the relevant section

Ris

Likelihood:

The vulnerability occurs whenever a user opens a high-leverage position, making the entire contract's health factor unstable

Impact:


If the global Health Factor drops due to one user's position, Liquidators can liquidate the entire contract's collateral. This results in an immediate loss of funds for all other users, even those who maintained safe collateral-to-debt ratios.


Proof of Concept

When the contract calls Aave's supply() and borrow() functions, it uses address(this) instead of creating individual Proxy Wallets for each user.
User A deposits 10 ETH (Safe).
User B borrows 90% against the pool (Risky).
Market drops 5%: The entire 10 ETH of User A is liquidated to cover User B's debt because they share the same Aave account
POOL.supply(asset, amount, address(this), referralCode);
POOL.borrow(asset, amount, interestRateMode, referralCode, address(this));

Recommended Mitigation

Implement a Proxy Factory pattern where each user gets their own dedicated "Vault" or "Proxy Wallet" (like DSProxy). This ensures that each user’s Health Factor is isolated and one user's liquidation does not affect others.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!