code-423n4/2024-07-loopfi-validation

Lack of Slippage Protection in liquidatePosition function

Closed this issue · 0 comments

c4-bot-9 commented

Lines of code

https://github.com/code-423n4/2024-07-loopfi/blob/57871f64bdea450c1f04c9a53dc1a78223719164/src/CDPVault.sol#L509

Vulnerability details

Issue

The current implementation of the liquidatePosition function does not incorporate any mechanisms to protect against slippage. This means that if the market price of the collateral fluctuates during the transaction processing time, the liquidator may end up receiving a lower amount of collateral than expected.

Impact

The primary impact of this issue is financial loss for liquidators, who may not be adequately compensated for their risk. This can deter participation in liquidation events, which are crucial for maintaining the health of the lending protocol.

Scenario

Consider a scenario where a liquidator attempts to liquidate a position when the market is volatile. If the price of the collateral drops significantly during the transaction processing, the liquidator might receive much less than anticipated. By implementing the minimum collateral parameter, the liquidator can ensure that they only proceed if the transaction meets their financial expectations.

Fix

Implement Minimum Collateral Received Parameter

Introduce a parameter that specifies a minimum amount of collateral that must be received during a liquidation. This could be implemented as follows:

  1. Introduce a new parameter, minCollateralReceived, which specifies the minimum collateral that the liquidator expects to receive.

  2. Before executing the liquidation, the contract should check the current market price of the collateral and calculate the expected amount of collateral based on this price. If the expected amount is below minCollateralReceived, the liquidation should be reverted.

   function liquidatePosition(address position, uint256 minCollateralReceived) external {
       // Retrieve current spot price
       uint256 currentSpotPrice = spotPrice();
       
       // Calculate expected collateral based on current price
       uint256 expectedCollateral = calculateExpectedCollateral(position, currentSpotPrice);
       
       // Check if expected collateral meets the minimum requirement
       require(expectedCollateral >= minCollateralReceived, "Insufficient collateral received");
       
       // Proceed with liquidation
       // ... (existing liquidation logic)
   }

Assessed type

Invalid Validation