Liquidate process may be reverted because of USDC's blacklist #6
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-42
edited-by-warden
🤖_27_group
AI based duplicate group recommendation
satisfactory
satisfies C4 submission criteria; eligible for awards
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2024-05-predy/blob/a9246db5f874a91fb71c296aac6a66902289306a/src/libraries/logic/LiquidationLogic.sol#L39-L100
Vulnerability details
Impact
When one position is not safe, liquidators should liquidate this position. The liquidation process may be reverted because of USDC's blacklist. If unsafe positions cannot be liquidated, the protocol has to take more risk. This is unexpected.
Proof of Concept
When one position is not safe, liquidators can liquidate this position and transfer left margin to
vault.recipient
if there is any. The vulnerability is that the left margin cannot be transferred tovault.recipient
ifvault.recipient
is in the blacklist of USDC.What's more, vault owner can update this vault's
vault.recipient
via functionupdateRecepient
. If the trader does not trade via perp market or gamma market and trade with predy pool directly, the trader can become the vault's owner. This means if the user does not want to be liquidated when there is some margin left even if the position is not safe, the user can updatevault.recipient
to one known blacklist address of USDC. This will avoid liquidated when there is some margin left. And the trader can updatevault.recipient
back to himself viaupdateRecepient
when he wants to close his position.USDC transfer function with blacklist.
Tools Used
Manual
Recommended Mitigation Steps
Consider to left the margin into the pool, and add one new function to let the trader to claim the left margin.
Assessed type
DoS
The text was updated successfully, but these errors were encountered: