jokr - Liquidation penatly should only be paid by account owner

[sherlock-admin2]

jokr

medium

Liquidation penatly should only be paid by account owner

Summary

In settleLiquidationUnhappyFlow the liquidation penatly is being paid by the LP providers. Liquidation penalty is something which should be provided by account owner for being liquidated

Vulnerability Detail

In unhappy flow _syncLiquidationFee(remainder - terminationReward); is called to provide liquidation penalty to tranche and tressury. But in unhappy flow account owner doesn't pay any tokens for his debt. The debt is covered by LP providers. So the liquidation penalty is paid by LP providers in this case

Impact

LP providers are paying liquidation

Code Snippet

      uint256 remainder = liquidationPenalty + terminationReward - openDebt;
            if (openDebt >= liquidationPenalty) {
                // "openDebt" is bigger than the "liquidationPenalty" but smaller than the total pending liquidation incentives.
                // Don't pay out the "liquidationPenalty" to Lps, partially pay out the "terminator".
                realisedLiquidityOf[terminator] += remainder;
            } else {
                realisedLiquidityOf[terminator] += terminationReward;
                _syncLiquidationFee(remainder - terminationReward);
            }
            totalRealisedLiquidity = SafeCastLib.safeCastTo128(totalRealisedLiquidity + remainder);

https://github.com/sherlock-audit/2023-12-arcadia/blob/main/lending-v2/src/LendingPool.sol#L1016

Tool used

Manual Review

Recommendation

No liquidation penalty in unhappy flow

[sherlock-admin2]

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid

[nevillehuang]

Invalid, agree with sponsors comments:

Liquidation penalty is paid by the account owner (his collateral assets are sold), an equal amount of assets accredited to the terminator is added to the pool → no LP pays for it