Skip to content

Latest commit

 

History

History
100 lines (76 loc) · 3.55 KB

024.md

File metadata and controls

100 lines (76 loc) · 3.55 KB

Low Tangerine Cod

High

liquidationType2 is not implemented at all right now

Summary

liquidationType2 doesn't market deposit as liquidated type 2 just not implemented at all at this moment, like type1

Root Cause

Whenever admin choses type2 liquidation there is eventuall call to liquidationType2, there is no update to depositDetail.liquidated value, which means that after position liquidated, if price improves for that position and position health become more than 8000 users will be able to withdraw their deposit, which should not be happening

    function liquidationType2(
        address user,
        uint64 index,
        uint64 currentEthPrice
    ) internal {
        // Get the borrower and deposit details
        ITreasury.GetBorrowingResult memory getBorrowingResult = treasury.getBorrowing(user, index);
        ITreasury.DepositDetails memory depositDetail = getBorrowingResult.depositDetails;
->        require(!depositDetail.liquidated, "Already Liquidated");

        // Check whether the position is eligible for liquidation
        uint128 ratio = BorrowLib.calculateEthPriceRatio(depositDetail.ethPriceAtDeposit, currentEthPrice);
        require(ratio <= 8000, "You cannot liquidate, ratio is greater than 0.8");

        uint256 amount = BorrowLib.calculateHalfValue(depositDetail.depositedAmountInETH);

        // Convert the ETH into WETH
        weth.deposit{value: amount}();
        // Approve it, to mint sETH
        bool approved = weth.approve(address(wrapper), amount);

        if (!approved) revert BorrowLiq_ApproveFailed();

        // Mint sETH
        wrapper.mint(amount);
        // Exchange sETH with sUSD
        synthetix.exchange(
            0x7345544800000000000000000000000000000000000000000000000000000000,
            amount,
            0x7355534400000000000000000000000000000000000000000000000000000000
        );

        // Calculate the margin
        int256 margin = int256((amount * currentEthPrice) / 100);
        // Transfer the margin to synthetix
        synthetixPerpsV2.transferMargin(margin);

        // Submit an offchain delayed order in synthetix for short position with 1X leverage
        synthetixPerpsV2.submitOffchainDelayedOrder(
            -int((uint(margin * 1 ether * 1e16) / currentEthPrice)),
            currentEthPrice * 1e16
        );
    }

Core_logic/borrowLiquidation.sol#L324

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

  1. User deposit
  2. User's health drops/price of collateral drop. 3, user's deposit being liquidated with type2.
  3. monitor until deposit becomes healthy- withdraw it

Impact

Users will be able to withdraw their deposits after liquidation.

PoC

No response

Mitigation

liquidate type 2 just not implemented at all at this moment, like type1. All updates to omniChainData, cds are missing update deposit details somewhere

    function liquidationType2(
        address user,
        uint64 index,
        uint64 currentEthPrice
    ) internal {
        // Get the borrower and deposit details
        ITreasury.GetBorrowingResult memory getBorrowingResult = treasury.getBorrowing(user, index);
        ITreasury.DepositDetails memory depositDetail = getBorrowingResult.depositDetails;
        require(!depositDetail.liquidated, "Already Liquidated");
+        depositDetail.liquidated = true;
+        treasury.updateDepositDetails(user, index, depositDetail);