When a vault is being liquidated, the remaining margin may fail to transfer to original trader due to USDT blocklist #39
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-42
🤖_primary
AI based primary recommendation
🤖_27_group
AI based duplicate group recommendation
satisfactory
satisfies C4 submission criteria; eligible for awards
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2024-05-predy/blob/main/src/libraries/logic/LiquidationLogic.sol#L99
Vulnerability details
Impact
When a vault is being liquidated, the remaining margin may fail to transfer to original trader due to USDT blocklist
Bug Description
First, the contest README states that USDT is supported by the protocol. USDT has a blocklist feature where blocklisted users would not be able to receive tokens, and the transaction would revert.
When a traders opens a position, and the position becomes insolvent, liquidators may come and liquidate this position. If there is remaining margin in the vault, it would be sent to the
vaule.recipient
, which is the trader himself.However, if the trader becomes blocked by USDT after he opens the position, his position would not be fully liquidatable, which means it may become bad debt for the protocol. Note that some may argue that users can just liquidate 99.9999% of the position, however, this is another design issue that incorrectly incentivizes liquidators which I created a separate issue for.
The key here is that upon liquidation finish, the remaining margin is sent back to the trader, and since it may be unsendable due to USDT blocklist, the position may be unliquidated forever.
Proof of Concept
N/A
Tools Used
Manual review
Recommended Mitigation Steps
Don't transfer the quoteToken back to the trader. The remaining margin can be used to supply the PairStatus quoteToken pool, and simply mint the supply tokens to the trader. The trader can withdraw the tokens himself later.
Assessed type
Token-Transfer
The text was updated successfully, but these errors were encountered: