Lack of Grace Period After Oracle Recovery in Liquidation Functions
Closed this issue · 0 comments
Lines of code
Vulnerability details
Vulnerability Detail
The liquidatePosition and liquidatePositionBadDebt functions in CDPVault.sol revert when the spot price is zero, effectively pausing liquidations. However, when the spot price becomes non-zero again, there's no grace period before liquidations can resume. This can lead to immediate liquidations of positions that became undercollateralized during the price feed outage, unfairly disadvantaging users.
Impact
This vulnerability can have severe consequences:
- Unfair Liquidations: Users whose positions became undercollateralized during the price feed outage can be liquidated immediately when the feed resumes, without a chance to adjust their positions.
- Advantage to Liquidation Bots: Liquidation bots can exploit this situation, liquidating positions before users have a chance to react.
- User Losses: Users may suffer unnecessary losses due to inability to manage their positions during and immediately after the oracle failure.
Proof of Concept
In the CDPVault contract:
// File: CDPVault.sol
// Lines 522-524 (liquidatePosition function)
uint256 spotPrice_ = spotPrice();
if (spotPrice_ == 0) revert CDPVault__liquidatePosition_invalidSpotPrice();
// Lines 590-591 (liquidatePositionBadDebt function)
uint256 spotPrice_ = spotPrice();
if (spotPrice_ == 0) revert CDPVault__liquidatePosition_invalidSpotPrice();
These checks prevent liquidations when the price is zero but offer no protection immediately after the price becomes non-zero.
Tools Used
Manual code review
Recommended Mitigation Steps
Add a grace time after the price becomes non-zero, such that liquidations can only be executed after the grace time has passed, giving enough time for users to adjust their margins.
Assessed type
Other