Core Contracts

Summary:

The LendingPool contract's liquidation mechanism becomes unfair when the contract is paused, as users cannot repay their debt or close liquidations during the pause period, yet their grace period continues to elapse. When the contract is unpaused, users might immediately face liquidation without having had a fair chance to resolve their position.

Vulnerability Details:

The issue manifests in several connected parts of the code:

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/pools/LendingPool/LendingPool.sol#L468

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/pools/LendingPool/LendingPool.sol#L375

The vulnerability arises from:

1. The whenNotPaused modifier on both closeLiquidation() and repay() functions

2. The grace period timer (liquidationStartTime + liquidationGracePeriod) continues counting during pause

3. No mechanism to extend grace period to account for pause duration

4. Users must repay almost all debt (below DUST_THRESHOLD) to close liquidation

Impact:

• Users could lose their collateral unfairly due to protocol pause

• Grace period becomes meaningless if significant portion is during pause

• Creates systemic risk during market stress when protocol might be paused

• Violates principle of fair liquidation mechanics

Tools Used:

Manual code review

Recommendations:

1. Add pause duration compensation to grace period checks.

2. Add minimum grace period after unpause.

3. Alternative: Pause liquidation timers during protocol pause.