Immediate Liquidation of borrowers after repayments resume.
Summary
A vulnerability stems from LendingPool and StabilityPool contracts where borrowers can be immediately liquidated after repayments resume.
The finalizeLiquidation function is not rechecking the borrower's health factor at execution, proceeding with liquidation regardless of restored position health.
Vulnerability Details
The initiateLiquidation marks a position for liquidation if the health factor becomes insufficient. While the finalizeLiquidation executed by the StabilityPool post-grace period, burns debt and seizes collateral.
No health factor rechecks in finalizeLiquidation the function fail to verify the current health factor, proceeding unconditionally even if the borrower has repaid debt.
When the LendingPool unpauses, repayments are enabled, but the StabilityPool can call finalizeLiquidation before the payments are processed, liquidating borrowers without a chance to act.
This becomes even more serious when the LendingPool is paused, blocking repayments, but liquidation can still finalise.
Impact
Borrowers lose collateral despite repayments due to a lack of health factor rechecks.
Race conditions create unpredictability, risking unnecessary losses.
Borrowers lose assets despite repayments.
Tools Used
Manual code review
Recommendations
Implement health factor rechecks in finalizeLiquidations.
synchronise the pausing mechanism across contracts.
Lead Judging Commences
LendingPool::finalizeLiquidation() never checks if debt is still unhealthy
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.