search

code-423n4 / 2023-07-amphora-findings

3 stars 2 forks source link

Interest Still Accrued When VaultController Is Paused #413

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-07-amphora/blob/main/core/solidity/contracts/core/VaultController.sol#L921-L922

Vulnerability details

Impact

Interest Still Accrued When VaultController Is Paused leads to their vault being subject to liquidation.

Proof of Concept

The VaultController contract has pause functionalities , and among the functions that won't work when paused are , repay , liquidateVault and borrowUSDA.

Imagine a scenario where the contract is paused and the user was supposed to call repayUSDA to maintain solvency for his vault , let's assume interest rates are high. Since the contract is paused the user can't call repayUSDA , BUT

Interest would keep on accruing as the function calculateInterest (and the function _payInterest) https://github.com/code-423n4/2023-07-amphora/blob/main/core/solidity/contracts/core/VaultController.sol#L921-L922 does not have a whenNotPaused modifier making their vault positions prone to liquidation.

Due to this users vault might get liquidated as soon as the contract is unpaused.

Tools Used

Manual Analysis

Recommended Mitigation Steps

Make _payInterest have a whenNotPaused modifier

Assessed type

Context

c4-pre-sort commented 1 year ago

minhquanym marked the issue as duplicate of #184

c4-judge commented 1 year ago

dmvt changed the severity to QA (Quality Assurance)

c4-judge commented 1 year ago

dmvt marked the issue as grade-b