✅Liquidatoooor
Objective
The favorite lending protocol in town has opened its doors and is allowing anyone to deposit collateral to borrow debt tokens! The Risk analysis department assures the protocol is sound as a Swiss banking system, and the Tokenomic analysis team argues that if a user's position becomes under-collateralized, the liquidator must receive all of the users collateral as a reward for keeping the protocol vault from bad debt, while punishing the borrower for not managing his positions accordingly!
As users start opening debt positions, you notice something unusual in the way that the protocol calculates user account health... something is off here... and it seems that the consequences can result in user positions being liquidated by the attacker who will also make a profit out of it!
Can you demonstrate the viability of this attack to convince the Risk and Tokenomic departments to urgently update the protocol?
📌 Drop the borrower's health account.
📌 Liquidate the borrower and get as much of his collateral as possible.
The contract that you will hack is:
The test script where you will have to write your solution is:
Writeup
Superman borrows too much: he deposits 100 Token and borrows 75 dToken, which is right on the 75% collateral factor. This makes his health factor 100. Note that the liquidation threshold is 100, so he is facing liquidation if his collateral value drops, even just a tiny drop.
Can we manipulate the collateral (Token) price? Yes, by "dumping" some Token into the AMM. Selling Token will make Token price to drop, because there will be more Token and less Dai in the pool -> Dai price increases and Token price decreases. Since superman is facing liquidation, we can simply swap 1 Token for Dai and his liquidation status will be triggered.
The rest of the challenge is just figuring out how liquidate() works and don't forget we still have 100 Dai in hand so we can swap them for Token in the end.
PoC
Last updated