Liquidation Can Be Prevented by Triggering Cooldown Expiration

[c4-bot-3]

Lines of code

https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/stable/CollateralAndLiquidity.sol#L154

Vulnerability details

Impact

Liquidations can be prevented by a user increasing or decreasing their share amount to reset the cooldown for decreasing shares.

Proof of Concept

In the liquidateUser function, the call to _decreaseUserShare passes in true for the useCooldown parameter. This means that any calls to liquidate will revert when the user's position is in cooldown.

if ( useCooldown )
		if ( msg.sender != address(exchangeConfig.dao()) ) // DAO doesn't use the cooldown
			{
			require( block.timestamp >= user.cooldownExpiration, "Must wait for the cooldown to expire" );


			user.cooldownExpiration = block.timestamp + stakingConfig.modificationCooldown();
			}

A user can easily trigger the cooldownExpiration by calling depositCollateralAndIncreaseShare. A user can deposit liquidity even if their position is currently liquidatable. The cooldownExpiration for increasing and decreasing shares is the same, so this affects liquidations at all. Therefore the user can prevent liquidations on their insolvent positions indefinitely.

Tools Used

Manual review

Recommended Mitigation Steps

The fix is simple: the bool value false rather than true should be used when calling the _decreaseUserShare() function within liquidateUser

Assessed type

DoS

[c4-judge]

Picodes marked the issue as duplicate of #891

[c4-judge]

Picodes marked the issue as satisfactory

[thebrittfactor]

For transparency, the judge confirmed issue should be marked as duplicate-312.