Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

finalizeLiquidation() can be called while LendingPool is paused

newspacexyz

Summary

The LendingPool contract includes a pausable mechanism that should prevent most operations while the contract is paused. However finalizeLiquidation() is callable even when paused.

This allows certain operations to bypass the pause mechanism, which could lead to unintended asset transfers during emergencies.

Vulnerability Details

Assume LendingPool is paused by owner. However manager in StabilityPool can call liquidateBorrower(). then finalizeLiquidation() is called while LendingPool is paused.

function liquidateBorrower(address userAddress) external onlyManagerOrOwner nonReentrant whenNotPaused {
...
// Call finalizeLiquidation on LendingPool
@> lendingPool.finalizeLiquidation(userAddress);
...
}

Impact

Liquidations proceed even when the protocol is paused → Could cause user assets to be moved unexpectedly.

Tools Used

manual

Recommendations

Add whenNotPaused Modifier to finalizeLiquidation()

- function finalizeLiquidation(address userAddress) external nonReentrant onlyStabilityPool {
+ function finalizeLiquidation(address userAddress) external nonReentrant whenNotPaused onlyStabilityPool {
Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.