DJINN - Liquidate other user's positions without intent or permissions

[sherlock-admin2]

DJINN

high

Liquidate other user's positions without intent or permissions

Summary

A user's position can be liquidated by anyone as long as they have the tokenID for the NFT representing the position.

Vulnerability Detail

The liquidate() function does not check if the provided tokenID has an associated order or if the caller is permitted to liquidate the position. This enables malicious users to liquidate any long position in the protocol.

Impact

• A user's position is liquidated without their permission or intent.
• Keepers will not get fees for a task they are supposed to do (closing the position).

Code Snippet

• src/LiquidationModule#L85-L177

Tool used

Manual Review

Recommendation

• Ensure that a position has an order to close associated with it before liquidating it.
• Ensure that operation such as closing a position is done by keepers through appropriate functions.

[sherlock-admin]

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid

[nevillehuang]

Invalid, liquidation should be performed by any liquidator as long as the position can be liquidated, wherein users position has margin below acceptable liquidation margin