search

sherlock-audit / 2023-12-flatmoney-judging

11 stars 9 forks source link

ubl4nk - liquidation process should not be paused while the protocol is paused #175

Closed sherlock-admin closed 8 months ago

sherlock-admin commented 8 months ago

ubl4nk

medium

liquidation process should not be paused while the protocol is paused

Summary

We see the liquidate function is protected by whenNotPaused, when the LiquidationModule is paused then the keeper/liquidator bots are unable to liquidate the liquidated positions which causes major losses for the LPs and the protocol. There should be a list of whilte-listed keeper/liquidator bots they are able to liquidate positions even if the protocol is paused.

Vulnerability Detail

liquidate function is protected by whenNotPaused:

function liquidate(uint256 tokenId) public nonReentrant whenNotPaused liquidationInvariantChecks(vault, tokenId) {

Now assume many long positions are liquidated due to a drop in price of rETH and LiquidationModule is paused. We assume the totalPnL of those positions are now 0$, if the price drops more and more, then the totalPnL will go into negative if they not being liquidated immediately, then the LPs will lose more and more collaterals/funds/rETH's.

When the protocol is paused then no keeper/liquidator bots can call liquidate to liquidate those positions, then if the price drops more, those liquidated positions will make a huge loss for the LPs (UNIT holders, Short positions) and the protocol. There should be at least a list of whitelisted keeper/liquidator bots which are able to liquidate the positions even if the Module is paused.

Impact

If the LiquidationModule is paused, then no one can call liquidate to liquidate the liquidated-positions and then if the price drops more, the liquidated positions will make more and more losses for LPs and the Protocol.

Code Snippet

https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/src/LiquidationModule.sol#L85

Tool used

Manual Review

Recommendation

Consider adding a list of white-listed keeper/liquidator bots, they are allowed to liquidate the liquidated-positions even if the protocol is paused.

Duplicate of #206

sherlock-admin commented 8 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid