Polynomial Protocol contest - Josiah's results

Lines of code

https://github.com/code-423n4/2023-03-polynomial/blob/main/src/ShortCollateral.sol#L235-L239

Vulnerability details

Impact

A specific position can be liquidated if canLiquidate() returns true. However, the function logic of maxLiquidatableDebt() is going to make it fully liquidatable even if safetyRatio == 1e18.

Proof of Concept

Let's assume the following setup:

collRatio = 1.5e18 liqRatio = 1.2e18

According to the code logic involved, a position is deemed one half liquidatable the moment its collateral ratio is equal to 1.2e18.

Let's assume:

liqBonus = 0.55e17 (5.5 %)

Following the first round of liquidation, the position will have its collateral ratio turn to (1.2 * 0.5 * 0.945) / 0.5) * 1e18 = 1.134e18, which is immediately liquidatable again.

The position will in fact be fully liquidatable this time because 1.134e18 is less than 1.2e18 * 0.95 = 1.14e18.

ShortCollateral.sol#L230-L239

    function maxLiquidatableDebt(uint256 positionId) public view override returns (uint256 maxDebt) {

        [... SNIPPED ...]

        uint256 safetyRatioNumerator = position.collateralAmount.mulWadDown(collateralPrice);
        uint256 safetyRatioDenominator = position.shortAmount.mulWadDown(markPrice);
        safetyRatioDenominator = safetyRatioDenominator.mulWadDown(collateral.liqRatio);
        uint256 safetyRatio = safetyRatioNumerator.divWadDown(safetyRatioDenominator);

        if (safetyRatio > 1e18) return maxDebt;

        maxDebt = position.shortAmount / 2;

        if (safetyRatio < WIPEOUT_CUTOFF) maxDebt = position.shortAmount;
    }

Recommended Mitigation Steps

It is recommended the code logic of maxLiquidatableDebt() be reasonably revised so that a normal liquidation will only make the underwater position become healthy again rather than worsening the collateral ratio.