search

sherlock-audit / 2023-12-flatmoney-judging

11 stars 9 forks source link

Psyduck - No check on L2 sequencer can result in unfair liquidations #42

Closed sherlock-admin2 closed 8 months ago

sherlock-admin2 commented 8 months ago

Psyduck

medium

No check on L2 sequencer can result in unfair liquidations

Summary

No check on L2 sequencer can result in unfair liquidations

Vulnerability Detail

The liquidate function allows a user to liquidate a position

  function liquidate(uint256 tokenId) public nonReentrant whenNotPaused liquidationInvariantChecks(vault, tokenId) {
        FlatcoinStructs.Position memory position = vault.getPosition(tokenId);

        (uint256 currentPrice, ) = IOracleModule(vault.moduleAddress(FlatcoinModuleKeys._ORACLE_MODULE_KEY)).getPrice();

        // Settle funding fees accrued till now.
        vault.settleFundingFees();

        // Check if the position can indeed be liquidated.
        if (!canLiquidate(tokenId)) revert FlatcoinErrors.CannotLiquidate(tokenId);

https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/src/LiquidationModule.sol#L85

then it makes several checks to make sure if a position can be liquidated shown here

https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/src/libraries/PerpMath.sol#L341

However, there is no check whether the L2 sequencer has been recently shut down. This can have severe consequences. Let's say that a Bob has a healthy position and then the sequencer is shutdown for a long period of time. During that time, there is significant price movement for rETH, making Bob's position unhealthy. As soon as the sequencer is back up online, Bob is immediately liquidated, without him ever having a chance to shore up his position.

It is recommended to have a grace period, after a shutdown to give users time to shore up their positions

Impact

Users can be unfairly liquidated due to an L2 shutdown

Code Snippet

https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/src/LiquidationModule.sol#L85

Tool used

Manual Review

Recommendation

Add a grace period to give users time to shore up their positions after a shutdown

Duplicate of #27

sherlock-admin commented 8 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid