Skip to content
This repository has been archived by the owner on Sep 24, 2023. It is now read-only.

IllIllI - Liquidation shouldn't be used to close positions that were fully-collateralized prior to collateral requirement changes #179

Open
sherlock-admin opened this issue Mar 25, 2023 · 3 comments
Open

IllIllI - Liquidation shouldn't be used to close positions that were fully-collateralized prior to collateral requirement changes #179

sherlock-admin opened this issue Mar 25, 2023 · 3 comments
Labels
Medium Reward A payout will be made for this issue Sponsor Confirmed Won't Fix The sponsor confirmed this issue will not be fixed

Comments

@sherlock-admin
Copy link
Contributor

IllIllI

medium

Liquidation shouldn't be used to close positions that were fully-collateralized prior to collateral requirement changes

Summary

There are various factors associated with minimum collateral requirements, and if a position falls below them, the position is liquidated.

Vulnerability Detail

If the position was over-collateralized and in profit prior to the change in the minimums, and the minimum is increased, the position is liquidated.

Impact

Liquidation gives all funds to the pool, giving nothing back to the user

Code Snippet

A position becomes liquidatable once it falls below the changeable collateral requirements:

// File: gmx-synthetics/contracts/position/PositionUtils.sol : PositionUtils.isPositionLiquidatable()   #1

377            if (shouldValidateMinCollateralUsd) {
378 @>             cache.minCollateralUsd = dataStore.getUint(Keys.MIN_COLLATERAL_USD).toInt256();
379                if (cache.remainingCollateralUsd < cache.minCollateralUsd) {
380                    return true;
381                }
382            }
383    
384            if (cache.remainingCollateralUsd <= 0) {
385                return true;
386            }
387    
388:           // validate if (remaining collateral) / position.size is less than the min collateral factor (max leverage exceeded)

https://github.com/sherlock-audit/2023-02-gmx/blob/main/gmx-synthetics/contracts/position/PositionUtils.sol#L368-L388

Liquidations give everything to the pool, and nothing to the position's account

Tool used

Manual Review

Recommendation

Close the position with a market order, rather than liquidating it, if the user was previously above the minimum with the old factor
@xvi10
Copy link

xvi10 commented Mar 29, 2023
edited
Loading

the min collateral requirements should not be changed unless it is an emergency requirement

this setting should eventually be removed from the Config contract

@IllIllI000
Copy link
Collaborator

@xvi10, while it may be for emergency use, if it does end up being used, isn’t the current behavior incorrect? Should this be a no-fix?

@xvi10
Copy link

xvi10 commented Mar 30, 2023

yes, updated to confirmed

@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Apr 3, 2023
@xvi10 xvi10 added the Won't Fix The sponsor confirmed this issue will not be fixed label Apr 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Medium Reward A payout will be made for this issue Sponsor Confirmed Won't Fix The sponsor confirmed this issue will not be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@xvi10 @sherlock-admin @IllIllI000