Liquidation may revert when the account is blacklisted

[howlbot-integration[bot]]

Lines of code

https://github.com/code-423n4/2024-05-predy/blob/a9246db5f874a91fb71c296aac6a66902289306a/src/libraries/logic/LiquidationLogic.sol#L99

Vulnerability details

Impact

Users might not get liquidated, and can make their position healthy by depositing more collateral

Proof of Concept

In Predy A particular user can liquidate themselves, and if they are eligible for liquidation can be confirmed by checkVaultIsDanger which ultimately checks bool isSafe = vaultValue >= minMargin && _vault.margin >= 0; And they can be liquidated if they above check is true. After Liquidation if they have remainning amount still left they are transfered the remainingmargin back by this check

if (!hasPosition) {
            int256 remainingMargin = vault.margin;

            if (remainingMargin > 0) {
                if (vault.recipient != address(0)) {
                    // Send the remaining margin to the recipient.
                    vault.margin = 0;

                    sentMarginAmount = uint256(remainingMargin);

                    ERC20(pairStatus.quotePool.token).safeTransfer(vault.recipient, sentMarginAmount);//@audit if the user get's blacklisted after opening the position then the liquidation will fail
                }
...
....

}

The protocol is compatible with tokens such as USDC/USDT,So if the user get's blacklisted after depositing in the protocol or before liquidation their liquidation will revert . So anyone also trying to liquidate them or themselves will fail in this process

Tools Used

Manual Review

Recommended Mitigation Steps

Have a logic to transfer the remaining margin to the predy pool and users withdrawing it from there.

Assessed type

ERC20

[c4-judge]

alex-ppg marked the issue as partial-75