c4-bot-3 commented 5 months ago

Lines of code

https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/facets/ExitShortFacet.sol#L41 https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/facets/ExitShortFacet.sol#L87 https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/facets/ExitShortFacet.sol#L142 https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/facets/PrimaryLiquidationFacet.sol#L47

Vulnerability details

Impact

Malicious user can avoid liquidation by frontruning a liquidation call to liquidate their unhealthy position. This can jeopardise the protocol’s solvency.

Proof of Concept

This vulnerability is borne from the fact there is a missing check for state of health of the SR’s position in the the exitShortWallet(...), exitShortErcEscrowed(...) and exitShort(...) functions respectively. and as such even unhealthy SRs can be liquidated

Scenario

Malicious shorter’s position becomes under collateralised
Liquidator calls the Liquidate(...) to liquidate the position
Malicious shorter notices the liquidators transaction in the mempool and calls exitShortErcEscrowed(...) to exit his short making the liquidators call to fail and gets

Tools Used

Manual review

Recommended Mitigation Steps

My recommendation here is only part of the recommendation I gave in a separate issue I submitted for this contest titled Bad debt socialisation can lead to premature liquidation of healthy positions that exit partially

In the exitShortWallet(...), exitShortErcEscrowed(...) and exitShort(...) functions, add a check to ensure the SR's CR is above liquidations CR is properly collateralised before updateErcDebt(...) is called in all the exit functions.

Assessed type

Invalid Validation

c4-pre-sort commented 5 months ago

raymondfam marked the issue as insufficient quality report

c4-pre-sort commented 5 months ago

raymondfam marked the issue as primary issue

raymondfam commented 5 months ago

Readme: Issues related to front-running: can front-run someone's order, liquidation, the chainlink/uniswap oracle update.

c4-judge commented 5 months ago

hansfriese marked the issue as unsatisfactory: Out of scope

code-423n4 / 2024-03-dittoeth-findings

malicious shorter can escape liquidation of their unhealthy positions #192