Yield Witch v2 contest - ladboy233's results

Lines of code

https://github.com/code-423n4/2022-07-yield/blob/6ab092b8c10e4dabb470918ae15c6451c861655f/contracts/Witch.sol#L253

Vulnerability details

Impact

A detailed description of the impact of this finding.

The protocol relies on auctioneers to put bad debt into auction and liquidation or cancel the liquidated position

but it is possible that when auctioneers put debt into auction, the user adds more collateral to avoid liquidation,

and the

cancel

the function is never called.

Then the user's position is not subject to liquidation and can still be liquidated.

Proof of Concept

Provide direct links to all referenced code on GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.

• A auctioneer calls and starts the auction
• user adds more collateral and the position is not subject to liquidation.
• the auctioneer never calls to cancel
• liquidator call payBase or payFYToken to liquidate the user's fund.

Tools Used

VIM

Recommended Mitigation Steps

The developer can check if the user's position is subject to liqudiation when user calling payBase or payFYToken

https://github.com/code-423n4/2022-07-yield/blob/6ab092b8c10e4dabb470918ae15c6451c861655f/contracts/Witch.sol#L357

    function payFYToken(
        bytes12 vaultId,
        address to,
        uint128 minInkOut,
        uint128 maxArtIn
    )
        external
        returns (
            uint256 liquidatorCut,
            uint256 auctioneerCut,
            uint256 artIn
        )
    {
        DataTypes.Auction memory auction_ = auctions[vaultId];
        require(auction_.start > 0, "Vault not under auction");
        require(cauldron.level(vaultId) < 0, "Not undercollateralized"); // this line is added to ensure user's position is subject to liquidation.