When a user is liquidated, _decreaseUserShare() is called and useCooldown is set to true. This can create problems because liquidations need to happen immediately and in case of unpredictable events the cooldown can just prevent users for being liquidated for an hour. This can create more bad debt because the users will not get liquidated until the cooldown expires.
Impact
Liquidators will have to wait until the cooldown expires which is currently set to 1 hour. This can create more bad debt and cause more losses to the protocol.
As you can see in liquidateUser(), useCooldown is set true which will make the whole transaction revert if the cooldown didnt expire yet.
Tools Used
Manual Review
Recommended Mitigation Steps
Liquidations need to happen immediately so consider creating a smaller cooldown just for liquidations so for example 3 minutes(from the last time the user increased their shares)
Lines of code
https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/stable/CollateralAndLiquidity.sol#L154
Vulnerability details
When a user is liquidated,
_decreaseUserShare()
is called and useCooldown is set to true. This can create problems because liquidations need to happen immediately and in case of unpredictable events the cooldown can just prevent users for being liquidated for an hour. This can create more bad debt because the users will not get liquidated until the cooldown expires.Impact
Liquidators will have to wait until the cooldown expires which is currently set to 1 hour. This can create more bad debt and cause more losses to the protocol.
Proof of Concept
As you can see in
liquidateUser()
, useCooldown is set true which will make the whole transaction revert if the cooldown didnt expire yet.Tools Used
Manual Review
Recommended Mitigation Steps
Liquidations need to happen immediately so consider creating a smaller cooldown just for liquidations so for example 3 minutes(from the last time the user increased their shares)
Assessed type
Other