The protocol's pause mechanism in LendingPool
prevents users from taking protective actions while their positions can still become liquidatable through two vectors: (1) rate changes via admin/oracle functions and (2) collateral value depreciation through market movements. When the protocol unpauses, these users can be immediately liquidated without having had any opportunity to protect their positions.
During protocol pause, users' positions can become unsafe through:
1 - Rate changes
2 - Collateral Value Changes:
NFT collateral values can decrease due to market conditions
Price oracle updates continue reflecting market prices
Users cannot add collateral or repay debt due to whenNotPaused
modifier
3 - The public updateState
function lacks the whenNotPaused
modifier, allowing interest accumulation to continue even when the protocol is paused.
While simultaneously:
Users cannot repay loans (whenNotPaused
)
Users cannot add more collateral (whenNotPaused
)
Users cannot close liquidations (whenNotPaused
)
Users cannot withdraw their NFTs (whenNotPaused
)
This creates a "trapped" scenario where users watch their positions become unsafe without any recourse until the protocol unpauses, at which point they can be immediately liquidated.
Users can become liquidatable through external factors (market prices) or internal changes (rates) during pause, with no ability to protect their positions.
Manual Review
Implement a grace period after unpause so users can have time to manage their positions.
Add whenNotPaused
to updateState
Additionally, allow repayment/closing while the protocol is paused.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.