Open code423n4 opened 2 years ago
dup of #91
Duplicate of #40
Downgraded to QA Report since this issue is related to a design decision.
Only issue submitted by this warden, since it has been downgraded to QA report, I will remove the duplicate label and reopen it.
Lines of code
https://github.com/code-423n4/2022-07-yield/blob/6ab092b8c10e4dabb470918ae15c6451c861655f/contracts/Witch.sol#L253
Vulnerability details
Impact
A detailed description of the impact of this finding.
The protocol relies on auctioneers to put bad debt into auction and liquidation or cancel the liquidated position
but it is possible that when auctioneers put debt into auction, the user adds more collateral to avoid liquidation,
and the
the function is never called.
Then the user's position is not subject to liquidation and can still be liquidated.
Proof of Concept
Provide direct links to all referenced code on GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
Tools Used
VIM
Recommended Mitigation Steps
The developer can check if the user's position is subject to liqudiation when user calling payBase or payFYToken
https://github.com/code-423n4/2022-07-yield/blob/6ab092b8c10e4dabb470918ae15c6451c861655f/contracts/Witch.sol#L357