Core Contracts

Vulnerability Details

The LendingPool.sol uses the Pausable modifier on most functions, including core functions like borrow and repay, but interest continues to accrue through the usage index even when the contract is paused.

This creates an unfair situation where borrowers are unable to repay their loans during the paused period, yet their debt keeps increasing due to interest accumulation. The updateState function, which manages interest accrual, is not linked to the pause state, and the usageIndex keeps getting updated. As a result, a borrower who was in a good position before the pause might end up facing liquidation when the contract resumes, despite having no control over the situation and no way to avoid it.

In LendingPool.sol, the borrower functions like borrow, repay, and withdraw use the whenNotPaused modifier:

However, the critical state updates and interest calculations happen in updateState does not have a pause check

The debt is calculated using the usageIndex which continues to compound regardless of the contract's pause state. During a pause:

1. The borrower cannot call repay due to the whenNotPaused modifier

2. The usageIndex keeps increasing through updateState calls

3. Their debt continues to grow through the rayMul calculation with the increasing usageIndex

Impact

1. Healthy borrower can be forced into liquidity during the paused period

Tools Used

Manual review

Recommendations

1. Implement a tiered pause system that enables independent pausing of interest functionalities.

2. In the unpause function, you can use the pausedTimestamp to modify the interest accumulation. For instance, you could update or offset reserve.lastUpdateTimestamp to ensure that the period when the protocol was paused doesn't add to the interest that accrues.