Core Contracts

Summary

LendingPool manages liquidation. functions linked to borrowing and liquidation :

• borrow() whenNotPaused : allow a user to borrow token against value of his NFT previously deposited

• repay() whenNotPaused : repay a certain amount of a user debt

• initiateLiquidation() whenNotPaused : change user state to isUnderLiquidation, user now have a time-window to repay debt to avoid liquidation

• closeLiquidation() whenNotPaused : after calling repay() allow a user to get out of isUnderLiquidation status

• finalizeLiquidation() onlyStabilityPool : liquidate a user, cancelling his debt and confiscating all NFTs sent to LendingPool

As we can see, if the contract is in a pause state, there is no way for the user to call repay() and closeLiquidation(). But stabilityPool can be called to liquidate user during pause event.
Also there is no grace period after an unpause() event, so even if there is a modifier on finalizeLiquidation, user may not have enough time to repay.

Vulnerability Details

1. User deposit NFT into lending pool and borrow token against it

2. Value of NFT drops, and user enter liquiditable state, initiateLiquidation is called against him : isUnderLiquidation[address(user) = true

3. Security issue happens and owner calls pause()

4. User is not able to repay() or closeLiquidation() because of whenNotPaused modifier

5. StabilityPool calls finalizeLiquidation(), users is now liquidated and was blocked to cancel it

6. Security is fix and owner calls unpause()

Impact

A user can be unfairly liquidated during a pause event and loose his NFT without having the opportunity to repay his debt. Also a grace period should be added after the unpause() event, so that user who are under liquidation have more time to repay their debt.

Tools Used

Manual

Recommendations

finalizeLiquidation() should have the whenNotPaused modifier. Furthermore, there should be a grace period after an unpause event, otherwise a user could not have the time to repay his debt after the pool is unpause()