Bandit - Liquidations Allowed When Paused

[sherlock-admin]

Bandit

medium

Liquidations Allowed When Paused

Summary

When the protocol is paused, liquidations are still allowed while reducing modifying positions is disallowed, leading to unfair liquidations.

Vulnerability Detail

When the protocol is paused, the modify function will revert due to this line:

            require(
                //@question was is ante?
                seemsLegit && (block.timestamp > pausedUntilTime) && (address(this).balance >= ante),
                "Aloe: missing ante / sus price"
            );

This means that users cannot modify their positions and increase their collateral to avoid liquidations. However, the warn and liquidate functions do not have the same check which measn that liquidations are still allowed when the protocol is paused. This results in unjust liquidations.

Similar to this issue from Blueberry Contest: Jeiwan - Liquidations are enabled when repayments are disabled, causing borrowers to lose funds without a chance to repay

Impact

Unfair liquidations as users cannot modify their position while liquidations are still enabled.

Code Snippet

https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/Borrower.sol#L299-L327

Tool used

Manual Review

Recommendation

Implement a pause check on both the liquidate and warn functions

[sherlock-admin2]

2 comment(s) were left on this issue during the judging contest.

panprog commented:

medium, dup of #15

MohammedRizwan commented:

valid

[haydenshively]

This is by design. If the manipulation metric/threshold generates any false positives, such false positives are most likely to occur in periods of rapid price movement -- precisely the time when you wouldn't want to pause liquidations. As such, liquidations can proceed regardless of seemsLegit and isPaused.

Two things that make this less annoying for Borrowers than it otherwise would be:

• After receiving the Warn event, they have the grace period in which to close their positions themselves. This means
  • The attacking liquidator would need to maintain the manipulation for the duration of the grace period so that the Borrower is still unhealthy when calling liquidate
  • Knowing that potential victims have the opportunity to close their own positions reduces the incentive for an attack in the first place
• Manipulating the TWAP to borrow from the protocol has a high reward -- you could essentially drain the pool (which is why borrowing gets paused). But liquidations have tightly constrained payoffs. Attackers would be looking at ~5% of active borrows, and that's assuming (a) they're all liquidatable at the same price level and (b) none of them respond to Warn. Even if the attacker doubles the TWAP and liquidates everyone, they'd only get ~10% of the value of outstanding borrows. Aloe's TVL would have to be massive for the attacker's EV to be anywhere near positive.