High: Inconsistent rounding in _liquidateDebt leads to ghost debt and invariant violation #1081
Description
LiquidationLogic.sol mein _liquidateDebt function karz (debt) ko liquidate karte waqt inconsistent rounding ka istemal karta hai. premiumDebtToLiquidateRay ko fromRayUp (round up) karke subtract kiya jata hai, jiski wajah se drawnDebtLiquidated asliyat se kam ho jata hai. Iska nateeja ye hota hai ki user ke debt shares puri tarah burn nahi hote, aur system mein hamesha ke liye "Ghost Debt" reh jata hai.
## Vulnerability Detail // SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.0;
import 'tests/unit/Hub/HubBase.t.sol';
contract LiquidationPoC is HubBase {
function test_GhostDebtViaRoundingMismatch() public {
// 1. Setup: User has debt and is liquidatable
// Assume user has 1000e18 debt and 1100e18 collateral (HF < 1)
// 2. Liquidator calls liquidateUser to clear ALL debt
uint256 totalDebtToCover = 1000e18;
vm.prank(address(liquidator));
spoke1.liquidateUser(
daiAssetId,
usdcAssetId,
user,
totalDebtToCover,
false
);
// 3. The Bug: Check if user still has debt shares
uint256 remainingShares = getDrawnShares(user, usdcAssetId);
// 4. Assertion: Liquidator paid full debt, but shares > 0
// Due to fromRayUp() in _liquidateDebt, drawnDebtLiquidated was 1 wei less
// causing drawnSharesLiquidated to round down and leave residual shares.
assertGt(remainingShares, 0, "Invariant Violation: Ghost debt remains after full liquidation");
emit log_named_uint("Residual Ghost Debt Shares", remainingShares);
}
}
LiquidationLogic.sol ki line 246 aur 247 ko dekhiye: