Detailed description of the impact of this finding.
If there is a sharp change in collateral price and it goes than than 95 percent and
loss in liquidateUse is more than 5 percentage than no one wants to liquidate the asset.
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
// First, make sure that the user's collateral ratio is below the required level
require( canUserBeLiquidated(wallet), "User cannot be liquidated" );
uint256 userCollateralAmount = userShareForPool( wallet, collateralPoolID );
// Withdraw the liquidated collateral from the liquidity pool.
// The liquidity is owned by this contract so when it is withdrawn it will be reclaimed by this contract.
(uint256 reclaimedWBTC, uint256 reclaimedWETH) = pools.removeLiquidity(wbtc, weth, userCollateralAmount, 0, 0, totalShares[collateralPoolID] );
// Decrease the user's share of collateral as it has been liquidated and they no longer have it.
_decreaseUserShare( wallet, collateralPoolID, userCollateralAmount, true );
@>> // The caller receives a default 5% of the value of the liquidated collateral.
uint256 rewardPercent = stableConfig.rewardPercentForCallingLiquidation();
uint256 rewardedWBTC = (reclaimedWBTC * rewardPercent) / 100;
uint256 rewardedWETH = (reclaimedWETH * rewardPercent) / 100;
// Make sure the value of the rewardAmount is not excessive
uint256 rewardValue = underlyingTokenValueInUSD( rewardedWBTC, rewardedWETH ); // in 18 decimals
uint256 maxRewardValue = stableConfig.maxRewardValueForCallingLiquidation(); // 18 decimals
if ( rewardValue > maxRewardValue )
{
rewardedWBTC = (rewardedWBTC * maxRewardValue) / rewardValue;
rewardedWETH = (rewardedWETH * maxRewardValue) / rewardValue;
}
// Reward the caller
wbtc.safeTransfer( msg.sender, rewardedWBTC );
weth.safeTransfer( msg.sender, rewardedWETH );
// Send the remaining WBTC and WETH to the Liquidizer contract so that the tokens can be converted to USDS and burned (on Liquidizer.performUpkeep)
wbtc.safeTransfer( address(liquidizer), reclaimedWBTC - rewardedWBTC );
weth.safeTransfer( address(liquidizer), reclaimedWETH - rewardedWETH );
// Have the Liquidizer contract remember the amount of USDS that will need to be burned.
uint256 originallyBorrowedUSDS = usdsBorrowedByUsers[wallet];
liquidizer.incrementBurnableUSDS(originallyBorrowedUSDS);
// Clear the borrowedUSDS for the user who was liquidated so that they can simply keep the USDS they previously borrowed.
usdsBorrowedByUsers[wallet] = 0;
_walletsWithBorrowedUSDS.remove(wallet);
emit Liquidation(msg.sender, wallet, reclaimedWBTC, reclaimedWETH, originallyBorrowedUSDS);
}
Lines of code
https://github.com/code-423n4/2024-01-salty/blob/main/src/stable/CollateralAndLiquidity.sol#L140
Vulnerability details
Impact
Detailed description of the impact of this finding. If there is a sharp change in collateral price and it goes than than 95 percent and loss in liquidateUse is more than 5 percentage than no one wants to liquidate the asset.
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
function liquidateUser( address wallet ) external nonReentrant { require( wallet != msg.sender, "Cannot liquidate self" );
Tools Used
Recommended Mitigation Steps
use some other incentive for liquidation.
Assessed type
Context