Core Contracts

Relevant Context

The LendingPool contract implements a pause mechanism through the whenNotPaused modifier that can be activated by the owner. This mechanism is intended to protect users during emergencies by temporarily halting protocol operations.

Finding Description

The whenNotPaused modifier is applied to critical protocol functions including repay(), repayOnBehalf(), initiateLiquidation(), and closeLiquidation(). While pausing functionality is important for emergency scenarios, preventing these specific functions from executing can lead to unintended consequences that harm both users and the protocol.

When the protocol is paused:

1. Users cannot repay their debt through repay() or repayOnBehalf()

2. Liquidators cannot initiate liquidations of unhealthy positions via initiateLiquidation()

3. Users in liquidation cannot close their positions through closeLiquidation()

This creates scenarios where:

• Users wanting to reduce their risk by repaying debt are prevented from doing so

• Unhealthy positions cannot be liquidated, potentially threatening protocol solvency

• Users in their liquidation grace period lose the opportunity to save their positions

Impact Explanation

High. The inability to repay debt or process liquidations during a pause can lead to significant losses for users and threaten protocol solvency. Most critically, users who are in their liquidation grace period when the pause occurs will be unable to close their position, and if the pause extends beyond their grace period, they are guaranteed to be liquidated when the protocol resumes since closeLiquidation() can only be called within the grace period.

Likelihood Explanation

Low. Protocol pauses should be rare events that only occur in extreme circumstances. While the impact during such events would be severe, the low probability of a pause being necessary makes this a low-likelihood scenario.

Proof of Concept

Scenario demonstrating guaranteed liquidation after grace period:

1. User's position becomes unhealthy and initiateLiquidation() is called

2. User has a 3-day grace period to repay debt and close the liquidation

3. After 1 day, the protocol is paused

4. The pause lasts for 3 days

5. When the protocol unpauses, the user's grace period has expired

6. The user can no longer call closeLiquidation() due to the if (block.timestamp > liquidationStartTime[userAddress] + liquidationGracePeriod) check

7. The position will be liquidated through finalizeLiquidation(), resulting in guaranteed loss of collateral

This scenario is particularly severe because once the grace period expires, there is no mechanism for the user to prevent liquidation, even if they have the means to repay their debt.

Recommendation

Modify the pause mechanism to maintain critical functions while pausing other operations:

This allows the protocol to maintain critical risk management functions even during paused states while still protecting against other potentially dangerous operations.