search

code-423n4 / 2024-03-saltyio-mitigation-findings

0 stars 0 forks source link

M-04 MitigationConfirmed #50

Open c4-bot-8 opened 4 months ago

c4-bot-8 commented 4 months ago

Lines of code

Vulnerability details

Lines of code

Vulnerability details

C4 Issue

https://github.com/code-423n4/2024-01-salty-findings/issues/912

Comments

The Salty protocol's liquidation mechanism, is flawed when only a single user is borrowing USDS. This flaw emerges because the the liquidateUser() function, cannot proceed if doing so would diminish the pool's reserves below a the DUST value upong attempting to remove the users liquidity as can be seen in line below:

require((reserves.reserve0 >= PoolUtils.DUST) && (reserves.reserve0 >= PoolUtils.DUST), "Insufficient reserves after liquidity removal");

Consequently, if the entirety of the collateral backing USDS is supplied by one user, any liquidation attempt would fail, making it impossible to address the under-collateralization and leading to potential bad debt within the protocol.

Mitigation

https://github.com/othernet-global/salty-io/commit/8e3231d3f444e9851881d642d6dd03021fade5ed

The mitigation for this issue revolved around the deprecation of number of key components including the overcollateralized USDS stablecoin framework, which also meant borrowing of USDS no longer exists, ergo liquidations are no longer possible.

Conclusion

LGTM

c4-judge commented 4 months ago

Picodes marked the issue as nullified

c4-judge commented 4 months ago

Picodes marked the issue as satisfactory

c4-judge commented 4 months ago

Picodes marked the issue as confirmed for report