Inablity to perform partial liquidations allows huge positions to accrue bad debt

Vulnerability Detail

In the current implementation of sentiment, no partial liquidation is allowed. It is only possible, to liquidate the position if the position becomes healthy after seizing the violator assets.

    function liquidate(address position, DebtData[] calldata debtData, AssetData[] calldata assetData) external nonReentrant {
        riskEngine.validateLiquidation(position, debtData, assetData);

        // liquidate
        _transferAssetsToLiquidator(position, assetData);
        _repayPositionDebt(position, debtData);

//@audit-issue position should be healthy after liquidation
        // position should be within risk thresholds after liquidation
@>>        if (!riskEngine.isPositionHealthy(position)) revert PositionManager_HealthCheckFailed(position);
        emit Liquidation(position, msg.sender, ownerOf[position]);
    }

The problem is that if a borrower uses the leveraging function of sentiment to borrow up to 20times the value of his collateral, to attain a big debt of tokens surpassing the current market liquidity of the borrow token, no liquidator will be able to liquidate the position, exposing the protocol to the risk of insolvancy and accumulation of bad debt. There are tokens like CRV (see the CRV founder incident), that doesn't have enough market liquidity. Taking such a large debt could lead to situation where it is not possible to accumulate enough liquidity from the market,(either at all, or this will lead to the price of the token being significantly lowered through those actions) to partially liquidate the positions Please also notice, that this is also caused by the fact that there is no upper limit on the value of loans being taken on the protocol, this also increases the risk of such a scenario happening.

Impact

Certain positions wouldn't be possible to be liquidated, which will lead to the accumulation of bad debt. With the creation of bad, this will result in liquidity providers tokens being slashed and the liquidity providers of the pools losing value. The risk is also highlited by the fact that sentiment is a leveraging lending protocol that allows to borrow up to 20 times the value of the collateral.

Code Snippet

https://github.com/sherlock-audit/2024-08-sentiment-v2/blob/0b472f4bffdb2c7432a5d21f1636139cc01561a5/protocol-v2/src/PositionManager.sol#L430-L444

Tool used

Manual Review

Recommendation

The simplest solution to this without updating the liquidation formula would be to add a max loan value, similar to how MIN_DEBT is implemented in Pool.sol

Duplicate of #102

samuraii77 commented 1 month ago

294 is a duplicate.

AtanasDimulski commented 1 month ago

Escalate, Per the above comment

sherlock-admin3 commented 1 month ago

Escalate, Per the above comment

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

elhajin commented 1 month ago

this one , and #294 are duplicates of #309 , not duplicate of #211

211 is about how bad debt handled as this comment explain, while #294 and this one is about how not allowing partial liquidation can lead to bad debt

cvetanovv commented 1 month ago

I agree that #191 and #294 are duplicates of #309. I will duplicate them together. However, whether they will be valid will be decided by the escalation on #309.

Planning to accept the escalation and duplicate #191 and #294 with #309.