Category: Business Logic
[FIXED] Free liquidation
Critical Severity
Critical Impact
High Likelihood
Description
A check that ensures the price of the bid is less than the current price (including the discounts) was omitted, allowing any user to submit a bid used to determine whether the liquidation was hard or soft.
Impact
In the code below, the currentPrice check happens only in the soft liquidation branch. However, it should be checked before the branch to decide the type of liquidation taken.
function _execute(
address account,
Auction memory auction,
uint256 bid
) internal {
require(
isAuctionable(auction.market, auction.debtor),
"not.auctionable"
);
IMarket market = IMarket(auction.market);
uint256 swappable = market.collateral().swappableValue(auction.debtor);
if (swappable > bid) {
/* hard liquidation */
...
} else {
/* soft liquidation */
require(
currentPrice(
auction.market,
auction.debtor,
auction.starts_at,
auction.ends_at
) <= bid,
"bid.price"
);
...
}Impact
Users can supply a bid of 1 as soon as the auction is open to get the debtor's collateral for free.
Recommendations
Add the currentPrice check before the branch.
Remediation
The Nukem team has fixed this issue by moving the currentPrice check before the branch in commit 7f86bbba↗.