Users Can Repay Debt Even After Liquidation Grace Period Expires
Summary
The repay function allows users to repay their debt even when the liquidation grace period has passed and liquidation is pending finalization. This undermines the liquidation process, enabling users to bypass penalties and potentially exploit the system.
Vulnerability Details
Currently, the repay function lacks a check to prevent repayments after liquidation has been initiated and the grace period has expired:
Problematic Scenario
When a user becomes eligible for liquidation, a grace period begins.
If the user fails to repay during this grace period, liquidation should proceed.
Issue: Users can still call
repayafter the grace period but beforefinalizeLiquidationis triggered, negating the liquidation process.
Impact
Bypassing Liquidation Penalties: Users avoid penalties by repaying after grace period expiration.
Economic Exploit: Borrowers can exploit this loophole to maintain risky positions without facing consequences.
Integrity Risk: Undermines the protocol’s liquidation process and fairness.
Tools Used
Manual code review.
Recommendations
Add a validation check in the repay function to prevent repayments after the liquidation grace period expires:
Lead Judging Commences
A borrower can LendingPool::repay to avoid liquidation but might not be able to call LendingPool::closeLiquidation successfully due to grace period check, loses both funds and collateral
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.