Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Orderly Network>High findings>No health checks performed on liquidations
GeneralOverview
Findings
Critical (1)
High (4)Large withdrawal may be blockedNo health checksFunction inputs need validationDefault blocking behavior on LZ
Medium (3)
Informational (1)
DiscussionAdditional checksOverall issues with some functionsThe `changeFeeCollector` does not revertThe `tokenHash` is not a hash from `tokenAddress`
Threat ModelWhat are threat models?AccountTypeHelper.solAccountTypePositionHelper.solCrossChainRelayUpgradeable.solFeeManager.solLedger.solLedgerComponent.solLedgerCrossChainManagerUpgradeable.solMarketManager.solOperatorManager.solOperatorManagerComponent.solSignature.solVault.solVaultCrossChainManagerUpgradeable.solVaultManager.sol
Audit ResultsSummary
Category: Business Logic

No health checks performed on liquidations

High Severity
High Impact
Low Likelihood

Description

A liquidation is expected to be performed when the user's position is below the maintenance margin. However, there are currently no checks in the Ledger contract on whether the user's position is below the maintenance margin. This means that anyone could theoretically liquidate any position at any time, regardless of whether the position is below the maintenance margin or not.

function executeLiquidation(EventTypes.Liquidation calldata liquidation, uint64 eventId)
    external
    override
    onlyOperatorManager
{

    AccountTypes.Account storage liquidatedAccount = userLedger[liquidation.liquidatedAccountId];

    if (liquidation.insuranceTransferAmount != 0) {
        _transferLiquidatedAssetToInsurance(
            liquidatedAccount,
            liquidation.liquidatedAssetHash,
            liquidation.insuranceTransferAmount,
            liquidation.insuranceAccountId
        );
    }
    uint256 length = liquidation.liquidationTransfers.length;
    for (uint256 i = 0; i < length; i++) {
        EventTypes.LiquidationTransfer calldata liquidationTransfer = liquidation.liquidationTransfers[i];
        _liquidatorLiquidateAndUpdateEventId(
            liquidationTransfer, eventId, liquidationTransfer.liquidatorAccountId != liquidation.insuranceAccountId
        );
        _liquidatedAccountLiquidate(liquidatedAccount, liquidationTransfer);
        _insuranceLiquidateAndUpdateEventId(liquidation.insuranceAccountId, liquidationTransfer, eventId);
    }
    liquidatedAccount.lastCefiEventId = eventId;
    emit LiquidationResult(
        _newGlobalEventId(),
        liquidation.liquidatedAccountId,
        liquidation.insuranceAccountId,
        liquidation.liquidatedAssetHash,
        liquidation.insuranceTransferAmount,
        eventId
    );
}

Impact

Anyone can liquidate any position at any time, even if the position is not below the maintenance margin. The low likelihood of this issue is due to the facts that the liquidation process is performed off chain and the liquidation process is not public. In the off-chain components, the team has stated that they are performing necessary checks on the liquidation process.

Recommendations

We recommend adding the necessary checks on chain to ensure that the user's position is below the maintenance margin before liquidating their position.

Remediation

The team has acknowledged this issue and have stated that they are performing necessary checks on the liquidation process off chain.

Zellic © 2024Back to top ↑