A critical rounding convention bug in Vesu's Singleton liquidation contract allowed attackers to steal user funds through malicious pool extension contracts, flashloans, and improper handling of the receive_as_shares flag. The vulnerability was discovered via Immunefi bug bounty, remediated by removing the affected liquidation logic and whitelisting pool extensions within 5 days.
Compound's liquidation mechanism fails to validate that seized assets are actually held as collateral, allowing liquidators to seize any user assets when borrowing becomes undercollateralized, not just those explicitly marked as collateral via enterMarkets().
Iron Bank's seizeInternal() function fails to credit liquidators with the correct collateral amount when seizing tokens, undercounting their collateral and potentially triggering unintended liquidations. The bug stems from only increasing collateral by collateralTokens instead of the full seizeTokens amount, with the difference (buffer) not being accounted for.