Submission Details
Severity:
Missing Pause Protection in a Liquidation Function
Summary
The finalizeLiquidation function lacks the whenNotPaused modifier, which is inconsistent with other critical functions in the contract and could lead to unintended liquidations during emergency pauses.
Vulnerability Details
The function finalizeLiquidation is designed to be called to complete the liquidation process after a grace period. The function notably lacks the whenNotPaused modifier that is present in related functions like initiateLiquidation and closeLiquidation.
```solidity
function initiateLiquidation(address userAddress) external nonReentrant whenNotPaused {
if (isUnderLiquidation[userAddress]) revert UserAlreadyUnderLiquidation();
// update state
ReserveLibrary.updateReserveState(reserve, rateData);
UserData storage user = userData[userAddress];
uint256 healthFactor = calculateHealthFactor(userAddress);
if (healthFactor >= healthFactorLiquidationThreshold) revert HealthFactorTooLow();
isUnderLiquidation[userAddress] = true;
liquidationStartTime[userAddress] = block.timestamp;
emit LiquidationInitiated(msg.sender, userAddress);
}
```
Impact
Low/Med
The function can still trigger liquidations while the contract is paused, undermining the pause mechanism and allowing unintended liquidations.
Tools Used
Manual Review
Recommendations
For a better security mechanism, add the whenNotPaused modifier to the finalizeLiquidation function
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.