Small Shamrock Rook
High
Not accounting for buy fee when converting rETH to NUMA. This underestimates the user’s profit, and overestimates the maxNumaProfitForLiquidations
This allows the liquidator’s profit to greatly exceed the true max profit.
Affected code: link
The following check is used to limit the liquidator’s NUMA profit in liquidateLstBorrower():
uint vaultProfit;
if (numaLiquidatorProfit > maxNumaProfitForLiquidations) {
vaultProfit = numaLiquidatorProfit - maxNumaProfitForLiquidations;
}
uint numaToSend = receivedNuma - vaultProfit;numaLiquidatorProfit is calculated via:
uint numaLiquidatorProfit;
// we don't revert if liquidation is not profitable because it might be profitable
// by selling lst to numa using uniswap pool
if (receivedNuma > numaProvidedEstimate) {
numaLiquidatorProfit = receivedNuma - numaProvidedEstimate; //@i estimate does not consider buyFee, so NUMA estimate is too high.
}It uses numaProvidedEstimate (since the liquidator provides LST), and is calculated via:
uint numaProvidedEstimate = vaultManager.tokenToNuma(
lstAmount,
last_lsttokenvalueWei,
decimals,
criticalScaleForNumaPriceAndSellFee
);This does not account for the buy fee which occurs when converting the LST to NUMA. This means that the estimate for the numa provided is too high. This causes the profit to be underestimated. This allows the true profit to exceed the maximum profit.
In addition to this, maxNumaProfitForLiquidations is calculated by converting the max LST profit to NUMA, but not accounting for the buy fee either, allowing the liquidator’s profit to be even higher.
No response
No response
- Liquidation occurs where the liquidation bonus exceeds the max profit
- Profit received exceeds the max allowed profit
The actual liquidation profit received can exceed maxNumaProfitForLiquidations (which was already overestimated).
No response
Apply the buy fee to both numaProvidedEstimate and maxNumaProfitForLiquidations