No enforcement of a minimum postion size causes that liquidators have no incentive to liquidate small positions #247
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-313
grade-a
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
🤖_190_group
AI based duplicate group recommendation
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Comments
c4-bot-7
added
2 (Med Risk)
c4-judge
added
the
primary issue
|
Picodes marked the issue as primary issue |
dyedm1
added
the
sponsor disputed
|
dup #313 |
c4-judge
added
duplicate-313
and removed
primary issue
|
Picodes marked the issue as duplicate of #313 |
|
Picodes changed the severity to QA (Quality Assurance) |
c4-judge
added
downgraded by judge
|
Hi @ZanyBonzy, thanks for your comment. Indeed this isn't really a duplicate of #313. However, it's not worth Medium severity in my opinion as the readme states as a known issue that "In some situations, the liquidation may not be profitable.". My understanding is as well that the magnitude of the loss is less than the magnitude of the attack cost as an attacker would need to pay the gas to open these positions, which is equivalent in magnitude to the gas required to liquidate such positions. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/contracts/PanopticPool.sol#L547
Vulnerability details
Impact
Users can create the protocol with lots of small positions which leaves the protocol with dead positions that liquidators/exercisors have no incentive to liquidate or excercise.
Proof of Concept
From PanopticPool, there's no minimum position size that can be created upon position minting. This means users have a control on how much or how little their position size can be. This is in itself is risky. In a more corrdinated griefing effort, attackers can spam a large host of small positions with lots of different accounts which will eventually go underwater but will not be liquidated.
As the protocol will be launched on a number of chains including Ethereum, the costs to profit ratio of liquidating certain positions become unprofitable for liquidators. With small positions and small collateral, there is no incentive for liquidators to perform these liquidations. Liquidators will have to liquidate at a loss (which they most likely will not do) or protocol will be losing money to protect from bad debt over time. The final result of this is that low-positions accounts will never get liquidated, leaving the protocol with bad debt and can even cause the protocol to be undercollateralized with enough small-value accounts being underwater.
Tools Used
Manual code review
Recommended Mitigation Steps
Implement a minimum positionsize that can be created.
Assessed type
Other
The text was updated successfully, but these errors were encountered: