Algo Ssstablecoinsss

AI First Flight #2

Beginner FriendlyDeFi

EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: low

Invalid

Missing Validation in Liquidation Function

muzammilmohammed678

Root + Impact

Description

* Liquidators can liquidate unhealthy positions by repaying debt and seizing collateral. The function calculates amounts but doesn't validate they don't exceed user balances.

* The `liquidate()` function doesn't explicitly check that `debt_to_cover` doesn't exceed the user's actual debt, or that the collateral amount to redeem doesn't exceed the user's collateral balance. While these will revert due to underflow, the error messages are unclear.

```vyper

@external

def liquidate(collateral: address, user: address, debt_to_cover: uint256):

assert debt_to_cover > 0, "DSCEngine__NeedsMoreThanZero"

starting_user_health_factor: uint256 = self._health_factor(user)

assert (

starting_user_health_factor < MIN_HEALTH_FACTOR

), "DSCEngine__HealthFactorOk"

token_amount_from_debt_covered: uint256 = self._get_token_amount_from_usd(

collateral, debt_to_cover // @> No check that debt_to_cover <= user_debt

)

bonus_collateral: uint256 = (

token_amount_from_debt_covered * LIQUIDATION_BONUS

) // LIQUIDATION_PRECISION

self._redeem_collateral(

collateral,

token_amount_from_debt_covered + bonus_collateral, // @> No check that this <= user_collateral

user,

msg.sender,

)

```

Risk

Likelihood:

* Liquidators might miscalculate amounts and attempt to liquidate more than available

* Front-running or price changes between calculation and execution could cause amounts to exceed balances

* Integration with external interfaces could pass incorrect amounts

Impact:

* Unclear error messages when liquidation fails, wasting gas

* Poor user experience for liquidators

* Potential for repeated failed transactions

Proof of Concept

```python

# Scenario:

# 1. User has 100 DSC debt, 1 ETH collateral

# 2. Liquidator calculates debt_to_cover = 150 DSC (incorrect)

# 3. Calls liquidate() with debt_to_cover = 150

# 4. _burn_dsc() tries to subtract 150 from user_debt of 100

# 5. Underflow occurs, transaction reverts with unclear error

# 6. Liquidator wastes gas and doesn't know why it failed

```

Recommended Mitigation

```diff

@external

def liquidate(collateral: address, user: address, debt_to_cover: uint256):

assert debt_to_cover > 0, "DSCEngine__NeedsMoreThanZero"

+ user_debt: uint256 = self.user_to_dsc_minted[user]

+ assert debt_to_cover <= user_debt, "DSCEngine__DebtExceedsUserDebt"

starting_user_health_factor: uint256 = self._health_factor(user)

assert (

starting_user_health_factor < MIN_HEALTH_FACTOR

), "DSCEngine__HealthFactorOk"

token_amount_from_debt_covered: uint256 = self._get_token_amount_from_usd(

collateral, debt_to_cover

)

bonus_collateral: uint256 = (

token_amount_from_debt_covered * LIQUIDATION_BONUS

) // LIQUIDATION_PRECISION

+ user_collateral: uint256 = self.user_to_token_address_to_amount_deposited[user][collateral]

+ total_to_redeem: uint256 = token_amount_from_debt_covered + bonus_collateral

+ assert total_to_redeem <= user_collateral, "DSCEngine__InsufficientCollateral"

self._redeem_collateral(

collateral,

- token_amount_from_debt_covered + bonus_collateral,

+ total_to_redeem,

user,

msg.sender,

)

```

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 16 days ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!