Algo Ssstablecoinsss

AI First Flight #2

Beginner FriendlyDeFi

EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

[M-03] Self-liquidation extracts 10% bonus collateral, degrading backing ratio for all DSC holders

webrainsec

Description

liquidate() does not check user != msg.sender. A user can liquidate their own position and pocket the 10% liquidation bonus, extracting value from the protocol's collateral pool at the expense of all other DSC holders.

Vulnerability Details

# dsc_engine.vy:112

@external

def liquidate(collateral: address, user: address, debt_to_cover: uint256):

# @> No check that msg.sender != user

assert debt_to_cover > 0, "DSCEngine__NeedsMoreThanZero"

The bonus comes from the user's own collateral, but the DSC burned reduces total supply while the extra 10% collateral is returned. This means the remaining DSC in circulation is backed by less collateral than before.

Risk

Likelihood:

Any user whose HF falls below 1e18 can do this. No special setup needed beyond being undercollateralized.
Rational actors will self-liquidate rather than let an external liquidator take the bonus.

Impact:

Each self-liquidation extracts 10% of the covered debt value from the protocol's collateral backing.
The collateral-to-DSC backing ratio decreases for all remaining DSC holders.
At scale, repeated self-liquidations erode protocol solvency.

Proof of Concept

1. User deposits 10 ETH at $2,000/ETH ($20,000 collateral), mints 9,500 DSC

2. ETH drops to $1,800 → HF = ($18,000 * 50/100 * 1e18) / 9,500e18 = 0.947e18 — liquidatable

3. User calls liquidate(weth, self, 5000e18) — liquidating themselves

4. Collateral redeemed: 5,000e18 / $1,800 * 1.1 = 3.056 ETH ($5,500 worth)

5. DSC burned: 5,000

6. Net: user gave up 5,000 DSC and received $5,500 in ETH — $500 profit

7. The $500 came from collateral that was backing other DSC holders' positions

Recommendations

@external

def liquidate(collateral: address, user: address, debt_to_cover: uint256):

+ assert user != msg.sender, "DSCEngine__CannotSelfLiquidate"

assert debt_to_cover > 0, "DSCEngine__NeedsMoreThanZero"

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!