When liquidate function is called from the Liquidationbot.sol it sets the slippage parameter (ie. minExchangeRate) to zero. Hardcoding slippage tolerance as 100 % is a bad idea because in flash markets collateral prices may jump high to cause market disruption.
Vulnerability Detail
The LiquidationBot is operated by the "KEEPER" role. It will accept zero collateral amounts in extreme market conditions and cause loss of value for the protocol since protocol supplies TAU to the Liq Bot.
There should be a setter function to change slippage parameter in case of extreme market conditions. Governance should be able to set minExchangeRate value after deployment.
Chinmay
medium
Extreme slippage tolerance by Liquidation Bot
Summary
When liquidate function is called from the Liquidationbot.sol it sets the slippage parameter (ie. minExchangeRate) to zero. Hardcoding slippage tolerance as 100 % is a bad idea because in flash markets collateral prices may jump high to cause market disruption.
Vulnerability Detail
The LiquidationBot is operated by the "KEEPER" role. It will accept zero collateral amounts in extreme market conditions and cause loss of value for the protocol since protocol supplies TAU to the Liq Bot.
Impact
Hardcoded slippage should be avoided.
Code Snippet
https://github.com/sherlock-audit/2023-03-taurus/blob/main/taurus-contracts/contracts/LiquidationBot/LiquidationBot.sol#L100
Tool used
Manual Review
Recommendation
There should be a setter function to change slippage parameter in case of extreme market conditions. Governance should be able to set minExchangeRate value after deployment.
Duplicate of #19