safdie - Inconsistent liquidation state could result in incorrect liquidation handling or an incomplete process in `DeferredLiquidationFacetImpl.sol` #20
Setup the initial liquidation state: Call deferredLiquidatePartyA to set the liquidation status for partyA.
Manipulate the state with out-of-order calls: Call deferredSetSymbolsPrice without completing or checking the liquidation process first.
Result observation: Check if the liquidation has unintended consequences, like being able to alter the liquidation type or incorrectly set symbols' prices while partyA is not fully liquidated.
Impact
Liquidation might fail to process properly, leading to discrepancies in balances for partyA. This could allow partyA to avoid or delay liquidation unfairly.
Incorrect prices or liquidation states could lead to misinformed decisions, causing further financial impact on parties involved.
A malicious actor could intentionally perform liquidation actions out of order to exploit inconsistencies and gain financially.
PoC
// SPDX-License-Identifier: MIT
pragma solidity >=0.8.18;
import "./DeferredLiquidationFacetImpl.sol";
contract TestInconsistentLiquidationState {
function testOutOfOrderLiquidation(address partyA, DeferredLiquidationSig calldata liquidationSig) external {
// Step 1: Call deferredSetSymbolsPrice before deferredLiquidatePartyA
DeferredLiquidationFacetImpl.deferredSetSymbolsPrice(partyA, liquidationSig);
// Step 2: Now call deferredLiquidatePartyA, which should ideally trigger liquidation,
// but the liquidation status and symbol prices may be inconsistently set
DeferredLiquidationFacetImpl.deferredLiquidatePartyA(partyA, liquidationSig);
// Check: Observe the liquidation status and symbol prices for `partyA`
// Ideally, there should be logs or checks to validate if the state is inconsistent
}
}
Mitigation
To prevent this, implement a state machine pattern in deferredLiquidatePartyA and deferredSetSymbolsPrice that enforces the correct order of operations. This pattern ensures that deferredLiquidatePartyA must complete before deferredSetSymbolsPrice can execute, and vice versa.
safdie
Medium
Inconsistent liquidation state could result in incorrect liquidation handling or an incomplete process in
DeferredLiquidationFacetImpl.solSummary
Inconsistent liquidation state in
DeferredLiquidationFacetImpl.solcould result in incorrect liquidation handling or an incomplete process.Root Cause
The inconsistent liquidation state vulnerability can be tested by crafting a PoC below to demonstrate how calling
deferredSetSymbolsPricebeforedeferredLiquidatePartyA(or vice versa) could result in incorrect liquidation handling or an incomplete process. https://github.com/sherlock-audit/2024-09-symmio-v0-8-4-update-contest/blob/main/protocol-core/contracts/facets/liquidation/DeferredLiquidationFacetImpl.sol#L22-L99Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
deferredLiquidatePartyAto set the liquidation status forpartyA.deferredSetSymbolsPricewithout completing or checking the liquidation process first.partyAis not fully liquidated.Impact
partyA. This could allowpartyAto avoid or delay liquidation unfairly.PoC
Mitigation
To prevent this, implement a state machine pattern in
deferredLiquidatePartyAanddeferredSetSymbolsPricethat enforces the correct order of operations. This pattern ensures thatdeferredLiquidatePartyAmust complete beforedeferredSetSymbolsPricecan execute, and vice versa.