Obedient Lava Monkey
Medium
Incorrect handling of bad debt with zero collateral positions can cause an infinite deficit increase.
The lack of a condition to check whether a reserve's deficit has already been updated for bad debt will cause repeated additions to the deficit in _burnDebtTokens, leading to a continually growing deficit for zero-collateral positions during multiple calls to liquidation or debt-cleanup functions.
In LiquidationLogic.sol (within _burnDebtTokens), the protocol assumes that outstandingDebt after liquidation should always be added to deficit. However, if hasNoCollateralLeftis true and the reserve already contains the bad debt from previous calls, the deficit will be incremented repeatedly without bounds.
- The user has no collateral left (
hasNoCollateralLeft == true). outstandingDebt != 0(e.g., from accrued interest or partial liquidation).- The function
_burnDebtTokensis called multiple times for the same reserve and user.
None (assumes trusted dependencies).
- A user becomes undercollateralized or leaves bad debt after liquidation.
- The
deficitfor the reserve is updated in_burnDebtTokensduring the first call. - The same user’s bad debt triggers multiple liquidation or debt cleanup calls, and the
deficitis incremented each time without checking if it already includes the user's outstanding debt.
The protocol suffers an unbounded inflation of the reserve’s deficit, making it impossible to accurately track the actual bad debt. This could mislead governance and treasury operations, ultimately damaging the protocol's financial integrity.
Add a check to ensure that the user's outstanding debt is only added to the reserve's deficit once.