Root + Impact

Description

• Normal behavior: When a user is undercollateralized, liquidators should be able to repay part or all of the user’s DSC debt and receive collateral plus a bonus, eventually fully unwinding insolvent positions.

• Issue: For deeply underwater positions, the computed collateral_to_redeem + bonus can exceed the user’s total collateral balance, causing underflow or failed transfers and effectively making some positions unliquidatable, leaving permanent bad debt.

Risk

Likelihood:

• Reason 1 // Sharp price crashes or oracle delays routinely produce positions far below the liquidation threshold in volatile assets like ETH and BTC.

• Reason 2 // As protocol TVL grows, the probability that at least one position will become deeply underwater increases, especially during systemic events.

Impact:

• Impact 1 // Certain undercollateralized positions become impossible to liquidate, leaving unbacked DSC in circulation and directly violating the protocol’s overcollateralization invariant.

• Impact 2 // Accumulating bad debt erodes trust in the stablecoin’s solvency and can trigger a broader loss of peg and user confidence.

Proof of Concept

A price crash makes a position so underwater that even trying to liquidate 100% of the debt plus bonus exceeds available collateral:

1. User deposits 1 WETH at $2000 and mints 1000 DSC.

2. Price of WETH drops to $500.

3. A liquidator attempts to cover 1000 DSC; required collateral plus 10% bonus exceeds 1 WETH.

4. The subtraction from user_to_token_address_to_amount_deposited[user][collateral] underflows or fails, reverting the transaction.

5. Repeated attempts with smaller debt_to_cover continue to fail until the chosen amount happens to not exceed remaining collateral, leaving residual bad debt.

Recommended Mitigation

Reduce or cap the liquidation bonus in deep insolvency so that collateral_from_debt + bonus_collateral always fits within the user’s remaining collateral, and explicitly account for any remaining bad debt.