Interest still accuring when repayment is paused, creating debt that cannot be repaid

[c4-bot-4]

Lines of code

https://github.com/code-423n4/2023-12-initcapital/blob/a53e401529451b208095b3af11862984d0b32177/contracts/core/InitCore.sol#L535 https://github.com/code-423n4/2023-12-initcapital/blob/a53e401529451b208095b3af11862984d0b32177/contracts/lending_pool/LendingPool.sol#L161

Vulnerability details

Impact

Interest still accuring when repayment is paused

Proof of Concept

When the admin pause the lending pool repayment,

as timestamp elapses,

interest still accuring

  /// @inheritdoc ILendingPool
    function accrueInterest() public {
        uint _lastAccruedTime = lastAccruedTime;
        if (block.timestamp != _lastAccruedTime) {
            uint _totalDebt = totalDebt;
            uint _cash = cash;
            uint borrowRate_e18 = IIRM(irm).getBorrowRate_e18(_cash, _totalDebt);
            uint accruedInterest = (borrowRate_e18 * (block.timestamp - _lastAccruedTime) * _totalDebt) / ONE_E18;
            uint reserve = (accruedInterest * reserveFactor_e18) / ONE_E18;
            if (reserve > 0) {
                _mint(treasury, _toShares(reserve, _cash + _totalDebt + accruedInterest - reserve, totalSupply()));
            }
            totalDebt = _totalDebt + accruedInterest;
            lastAccruedTime = block.timestamp;
        }
    }

Interest accruing only depends on the time elapsed, but not whether the repayment is paused. This can create debt for user, and make user account unhealthy and eventually user’s position is subject to liquidation.

even when admin unpause the repayment, MEV bot can frontrun user's repayment and liqudiate user.

Tools Used

Manual Review

Recommended Mitigation Steps

Consider not accruing interest when repayment is paused, or not allowing to disable repayment.

Assessed type

Timing

[c4-judge]

hansfriese marked the issue as duplicate of #17

[c4-judge]

hansfriese marked the issue as satisfactory