Description

The close_factor_bps represents the percentage of a liquidatable account's liability that can be repaid in a single liquidation transaction, which is applied globally to every asset pair.

public entry fun set_close_factor_bps(manager: &signer, close_factor_bps: u64) acquires IsolatedLending {
    assert!(manager::is_manager(manager), ERR_ISOLATED_LENDING_UNAUTHORIZED);
    assert!(close_factor_bps <= BPS_BASE, ERR_ISOLATED_LENDING_INVALID_CLOSE_FACTOR_BPS);

    // update close_factor_bps
    let isolated_lending = borrow_global_mut<IsolatedLending>(package::package_address());
    isolated_lending.close_factor_bps = close_factor_bps;
}

The protocol admin can modify this parameter via the set_close_factor_bps function, but the function does not check if the value of close_factor_bps is nonzero.

Impact

The protocol admin can prevent all positions from being liquidated.

Recommendations

Add a check to ensure the value of close_factor_bps is nonzero.

Remediation

Echelon acknowledged that the mechanism can be abused to block liquidation, and explained the current bound of the close factor will be kept to allow temporary blocking of liquidation in case a technical issue is discovered.