No enforcement of a minimum postion size causes that liquidators have no incentive to liquidate small positions #247
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-313
grade-a
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
🤖_190_group
AI based duplicate group recommendation
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Lines of code
https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/contracts/PanopticPool.sol#L547
Vulnerability details
Impact
Users can create the protocol with lots of small positions which leaves the protocol with dead positions that liquidators/exercisors have no incentive to liquidate or excercise.
Proof of Concept
From PanopticPool, there's no minimum position size that can be created upon position minting. This means users have a control on how much or how little their position size can be. This is in itself is risky. In a more corrdinated griefing effort, attackers can spam a large host of small positions with lots of different accounts which will eventually go underwater but will not be liquidated.
As the protocol will be launched on a number of chains including Ethereum, the costs to profit ratio of liquidating certain positions become unprofitable for liquidators. With small positions and small collateral, there is no incentive for liquidators to perform these liquidations. Liquidators will have to liquidate at a loss (which they most likely will not do) or protocol will be losing money to protect from bad debt over time. The final result of this is that low-positions accounts will never get liquidated, leaving the protocol with bad debt and can even cause the protocol to be undercollateralized with enough small-value accounts being underwater.
Tools Used
Manual code review
Recommended Mitigation Steps
Implement a minimum positionsize that can be created.
Assessed type
Other
The text was updated successfully, but these errors were encountered: