#47124 [SC-Insight] Minimum Debt Value Updates Trigger Instant Liquidation Condition Changes

Submitted on Jun 9th 2025 at 03:53:09 UTC by @Catchme for IOP | Term Structure Institutional

Report ID: #47124
Report Type: Smart Contract
Report severity: Insight
Target: https://github.com/term-structure/tsi-contract/blob/main/src/Settlement.sol
Impacts:
- Protocol insolvency
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)

Description

Brief/Intro

The Settlement contract allows the owner to instantly change the minimum debt value threshold without any timelock protection. This parameter directly affects liquidation conditions, potentially forcing immediate full liquidations on previously healthy loans. This creates a significant risk for borrowers who may have their collateral fully liquidated without warning or time to react when this parameter is increased.

Vulnerability Details

The vulnerability exists in the setMinimumDebtValue() function at src/Settlement.sol:74-77:

function setMinimumDebtValue(uint256 minimumDebtValue_) external onlyOwner {
    _minimumDebtValue = minimumDebtValue_;
    emit SetMinimumDebtValue(minimumDebtValue_);
}

This function allows the contract owner to immediately update the global minimum debt value without any delay or transition period. The _minimumDebtValue parameter is critical as it directly affects liquidation logic in LoanLib.liquidaitonInfo():

// src/lib/LoanLib.sol:103-115
if (ltv >= loanInfo.debtData.lltv) {
    liquidateable = true;
    maxLiquidationAmt = _calculateMaxLiquidationAmt(loanInfo, collateralPrice, debtPrice);
    uint256 remainningDebtAmt = loanInfo.debtData.debtAmt - maxLiquidationAmt;
    if (remainningDebtAmt > 0 && remainningDebtAmt < _calculateMinimumDebtAmt(minimumDebtValue, debtPrice))
    {
        maxLiquidationAmt = loanInfo.debtData.debtAmt;  // Forces full liquidation
    }
}

The logical flaw is that increasing _minimumDebtValue can instantly transform loans that were only partially liquidatable into fully liquidatable positions. This creates a sudden change in liquidation risk without providing borrowers any notice or time to adjust their positions.

This contrasts with other critical parameter changes in the contract (like operator updates) that use proper timelock protection:

function submitPendingOperator(address _newOperator) external onlyOwner {
    _pendingOperator.update(_newOperator, Constants.TIMELOCK);
    emit PendingOperatorSet(_newOperator);
}

function acceptOperator() external afterTimelock(_pendingOperator.validAt) {
    // Implementation with timelock protection
}

Impact Details

Sudden Liquidation Risk: Borrowers with healthy loans that would normally qualify for partial liquidation may suddenly face full liquidation without warning
Cascading Liquidations: A significant increase in the minimum debt value could trigger simultaneous full liquidations across multiple positions, potentially causing market instability

Proof of Concept

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.27;

import "forge-std/Test.sol";
import "../src/Settlement.sol";
import "@openzeppelin/contracts/token/ERC20/ERC20.sol";

contract MockERC20 is ERC20 {
    constructor(string memory name, string memory symbol) ERC20(name, symbol) {
        _mint(msg.sender, 1000000 * 10**18);
    }
    
    function mint(address to, uint256 amount) external {
        _mint(to, amount);
    }
}

contract MockOracle is IOracle {
    // Allow price manipulation for testing
    mapping(address => uint256) private tokenPrices;
    
    constructor() {
        // Default prices
        tokenPrices[address(0)] = 1e18; // Default price
    }
    
    function setTokenPrice(address token, uint256 price) external {
        tokenPrices[token] = price;
    }
    
    function getPrice(address token) external view override returns (PriceInfo memory) {
        uint256 price = tokenPrices[token];
        if (price == 0) price = tokenPrices[address(0)]; // Default price
        
        return PriceInfo({
            price: price,
            timestamp: block.timestamp,
            source: "MOCK"
        });
    }
}

contract MinimumDebtValuePOC is Test {
    Settlement settlement;
    MockERC20 collateralToken;
    MockERC20 debtToken;
    MockOracle oracle;
    
    address admin = address(1);
    address feeCollector = address(2);
    address operator = address(3);
    address lender = address(4);
    address borrower = address(5);
    address liquidator = address(6);
    
    uint256 initialCollateral = 100 * 10**18;  // 100 tokens
    uint256 initialBorrow = 70 * 10**18;      // 70 tokens
    uint256 initialMinDebtValue = 10 * 10**18; // $10 minimum debt value
    
    string loanIdStr = "test-loan";
    bytes32 loanId;
    
    function setUp() public {
        // Deploy tokens
        collateralToken = new MockERC20("Collateral Token", "COL");
        debtToken = new MockERC20("Debt Token", "DEBT");
        
        // Deploy oracle
        oracle = new MockOracle();
        
        // Set token prices in oracle (1:1 for simplicity)
        oracle.setTokenPrice(address(collateralToken), 1 * 10**18);
        oracle.setTokenPrice(address(debtToken), 1 * 10**18);
        
        // Deploy settlement contract with initial minimum debt value
        settlement = new Settlement(admin, feeCollector, operator, address(oracle));
        vm.startPrank(admin);
        settlement.setMinimumDebtValue(initialMinDebtValue);
        vm.stopPrank();
        
        // Distribute tokens
        collateralToken.transfer(borrower, 200 * 10**18);
        debtToken.transfer(lender, 200 * 10**18);
        debtToken.transfer(liquidator, 200 * 10**18);
        
        // Set up approvals
        vm.startPrank(borrower);
        collateralToken.approve(address(settlement), type(uint256).max);
        debtToken.approve(address(settlement), type(uint256).max);
        vm.stopPrank();
        
        vm.startPrank(lender);
        debtToken.approve(address(settlement), type(uint256).max);
        collateralToken.approve(address(settlement), type(uint256).max);
        vm.stopPrank();
        
        vm.startPrank(liquidator);
        debtToken.approve(address(settlement), type(uint256).max);
        vm.stopPrank();
        
        // Create and settle a loan
        loanId = bytes32(bytes(loanIdStr));
        createAndSettleLoan();
    }
    
    function createAndSettleLoan() internal {
        string memory settlementIdStr = "test-settlement";
        
        // Create a loan with 100 tokens collateral and 70 tokens debt (70% LTV)
        string[] memory loanIds = new string[](1);
        loanIds[0] = loanIdStr;
        
        LoanInfo[] memory loanInfos = new LoanInfo[](1);
        DebtData memory debtData = DebtData({
            borrowedAmt: initialBorrow,
            debtAmt: initialBorrow,
            feeAmt: 0,
            collateralAmt: initialCollateral
        });
        
        loanInfos[0] = LoanInfo({
            maker: lender,
            borrower: borrower,
            lender: lender,
            debtTokenAddr: address(debtToken),
            collateralTokenAddr: address(collateralToken),
            settlementId: bytes32(0),
            debtData: debtData,
            settled: false
        });
        
        SettleInfo memory settleInfo = SettleInfo({
            taker: borrower,
            takerType: TakerType.BORROW,
            expiryTime: block.timestamp + 1 days
        });
        
        // Mock signature
        bytes memory signature = abi.encodePacked(bytes32(0), bytes32(0), uint8(0));
        vm.mockCall(
            address(operator),
            abi.encodeWithSelector(SignatureChecker.isValidSignatureNow.selector),
            abi.encode(true)
        );
        
        // Create settlement as borrower
        vm.startPrank(borrower);
        settlement.createSettlement(settlementIdStr, settleInfo, loanIds, loanInfos, signature);
        vm.stopPrank();
        
        // Settle loan as lender
        vm.startPrank(lender);
        settlement.settle(loanIdStr);
        vm.stopPrank();
    }
    
    function testMinimumDebtValueImpact() public {
        // Simulate a price drop to put the loan in a situation where partial liquidation is possible
        // Let's say collateral value drops from 100 to 80 (20% drop)
        oracle.setTokenPrice(address(collateralToken), 0.8 * 10**18);
        
        console.log("===== Initial State =====");
        console.log("Initial minimum debt value: $", initialMinDebtValue / 1e18);
        
        // Check initial liquidation status
        (bool initialLiquidatable, , uint256 initialMaxLiquidationAmt, , ) = settlement.liquidationInfo(loanIdStr);
        
        console.log("Loan liquidatable: ", initialLiquidatable ? "Yes" : "No");
        console.log("Maximum liquidation amount: ", initialMaxLiquidationAmt / 1e18);
        
        // Calculate expected remaining debt after partial liquidation
        uint256 expectedRemainingDebt = initialBorrow - initialMaxLiquidationAmt;
        console.log("Expected remaining debt after partial liquidation: ", expectedRemainingDebt / 1e18);
        
        // Verify this is above the minimum debt threshold (doesn't force full liquidation)
        bool isPartialLiquidation = expectedRemainingDebt >= initialMinDebtValue;
        console.log("Is partial liquidation possible: ", isPartialLiquidation ? "Yes" : "No");
        
        // Now let's increase the minimum debt value significantly
        uint256 newMinDebtValue = 30 * 10**18; // $30 minimum debt
        
        console.log("\n===== Updating Minimum Debt Value =====");
        console.log("New minimum debt value: $", newMinDebtValue / 1e18);
        
        vm.startPrank(admin);
        settlement.setMinimumDebtValue(newMinDebtValue);
        vm.stopPrank();
        
        // Check liquidation status after minimum debt value change
        (bool newLiquidatable, , uint256 newMaxLiquidationAmt, , ) = settlement.liquidationInfo(loanIdStr);
        
        console.log("\n===== After Minimum Debt Value Update =====");
        console.log("Loan liquidatable: ", newLiquidatable ? "Yes" : "No");
        console.log("Maximum liquidation amount: ", newMaxLiquidationAmt / 1e18);
        
        // Verify if this now forces full liquidation because remaining debt would be below minimum
        bool isFullLiquidation = newMaxLiquidationAmt == initialBorrow;
        console.log("Is full liquidation forced: ", isFullLiquidation ? "Yes" : "No");
        
        // Check that the remaining debt would be below minimum threshold (causes full liquidation)
        console.log("Original expected remaining debt: ", expectedRemainingDebt / 1e18);
        console.log("New minimum debt value: ", newMinDebtValue / 1e18);
        console.log("Remaining debt below new minimum: ", (expectedRemainingDebt < newMinDebtValue) ? "Yes" : "No");
        
        console.log("\n===== Demonstrating Impact on Borrower =====");
        console.log("1. Original liquidation would leave borrower with partial position");
        console.log("2. After parameter change, borrower faces full liquidation");
        console.log("3. Immediate change with no warning to adjust position");
        
        // Execute liquidation to show the full impact
        vm.startPrank(liquidator);
        uint256 liquidationAmount = 20 * 10**18; // Try to liquidate just a portion
        console.log("\n===== Attempting Partial Liquidation =====");
        console.log("Liquidator requested amount: ", liquidationAmount / 1e18);
        
        // Record balances before liquidation
        uint256 borrowerColBefore = collateralToken.balanceOf(borrower);
        uint256 lenderDebtBefore = debtToken.balanceOf(lender);
        
        // This will force full liquidation despite requesting partial amount
        settlement.liquidate(loanIdStr, liquidationAmount);
        vm.stopPrank();
        
        // Check if loan was fully liquidated (would be deleted if fully liquidated)
        LoanInfo memory loanInfo = settlement.getLoan(loanIdStr);
        bool loanDeleted = loanInfo.maker == address(0);
        
        console.log("Loan fully liquidated: ", loanDeleted ? "Yes" : "No");
        
        // If we can't check the loan directly because it was deleted, show other evidence
        uint256 borrowerColAfter = collateralToken.balanceOf(borrower);
        uint256 lenderDebtAfter = debtToken.balanceOf(lender);
        
        console.log("\n===== Financial Impact Evidence =====");
        console.log("Borrower collateral returned: ", (borrowerColAfter - borrowerColBefore) / 1e18);
        console.log("Lender debt received: ", (lenderDebtAfter - lenderDebtBefore) / 1e18);
    }
}

Previous#47122 [SC-Medium] Array Length Mismatch Enables Partial Settlement Processing Next#47125 [SC-Medium] Cross-Chain Signature Replay Attack in Settlement Contract

Was this helpful?