Last updated: February 06, 2026

SCWE-125: Missing Post-Operation Health Check

Stable Version v1.0

This content is in the version-(v1.0) and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Relationships¶

CWE-754: Improper Check for Unusual or Exceptional Conditions
https://cwe.mitre.org/data/definitions/754.html

Description¶

Lending/borrowing protocols that do not re-evaluate health factors after actions (borrow, withdraw, leverage) allow users to exit with unhealthy positions. Attackers can drain collateral or avoid liquidation by skipping post-operation solvency checks.

Remediation¶

Recompute health factor after every state-changing action and revert if below threshold.
Lock price/oracle reads during the operation to avoid mid-tx manipulation.
Add invariant/fuzz tests to ensure every path enforces solvency.

Examples¶

Vulnerable¶

function borrow(uint256 amount) external {
    _issueDebt(msg.sender, amount);
    // no health check after debt increase
}

Fixed¶

function borrow(uint256 amount) external {
    _issueDebt(msg.sender, amount);
    require(_health(msg.sender) >= MIN_HF, "insolvent");
}