Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

`finalizeLiquidation(...)` can be called when `LendingPool` is paused

CODESPECT

Summary

LendingPool's finalizeLiquidation function can get called when the LendingPool contract is paused.

Vulnerability Details

The LendingPool contract implements the Pausable contract which allows the admins to pausethe contract if there is an issue to prevent possible loss of funds. However, the finalizeLiquidation doesn't have the whenNotPaused modifier:

@> function finalizeLiquidation(address userAddress) external nonReentrant onlyStabilityPool {
if (!isUnderLiquidation[userAddress]) revert NotUnderLiquidation();
// update state
ReserveLibrary.updateReserveState(reserve, rateData);
if (block.timestamp <= liquidationStartTime[userAddress] + liquidationGracePeriod) {
revert GracePeriodNotExpired();
}

The function can only get called by the StabilityPool's liquidateBorrower function, which means that it only depends on if the StabilityPool is paused.

Impact

If there is an issue with the LendingPool and it must be paused, finalizeLiquidation function is still callable by the StabilityPool contract.

Tools Used

Manual review

Recommendations

Add the whenNotPaused modifier at the finalizeLiquidation function.

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.