search

sherlock-audit / 2024-04-interest-rate-model-judging

9 stars 5 forks source link

coffiasd - Borrower repayment of assets is subject to pausable limitations #15

Closed sherlock-admin4 closed 6 months ago

sherlock-admin4 commented 6 months ago

coffiasd

high

Borrower repayment of assets is subject to pausable limitations

Summary

Borrower repayment of assets is subject to pausable limitations, which can result in an inability to repay when prices drop

Vulnerability Detail

Market.sol::repay Market.sol::refund Market.sol::repayAtMaturity The above repayment function includes a whenNotPaused check. Assuming the following scenario:

After the PAUSER_ROLE unpauses the contract, the borrower intends to repay DAI to the contract. However, a liquidator can front-run to liquidate the borrower's position, which is unfair to the loan holder.

Add following test to file Market.t.sol

  function testPauseLeadToUnableRepay() external {
    MockPriceFeed ethPriceFeed = new MockPriceFeed(18, 1e18);
    auditor.setPriceFeed(marketWETH,ethPriceFeed);
    auditor.enterMarket(market);

    vm.prank(BOB);
    market.deposit(10 ether,BOB);

    //deposit WETH as collateral.
    marketWETH.deposit(2 ether, address(this));

    //borrow dai from marketWETH.
    market.borrow(1 ether,address(this),address(this));

    //owner pause contract.
    market.grantRole(market.PAUSER_ROLE(), address(this));
    market.pause();

    //dai price drop.
    ethPriceFeed.setPrice(1e17);

    (uint256 collateral,uint256 debt) = auditor.accountLiquidity(address(this),Market(address(0)),0);

    //debt > collateral
    assert(debt > collateral);

    //borrower unable to repay.
    vm.expectRevert();
    market.repay(1 ether,address(this));
  }

As we can see borrower unable to repay eth, when owner unpause the contract , borrower's position can be front-run to liquidated.

Impact

Code Snippet

https://github.com/sherlock-audit/2024-04-interest-rate-model/blob/main/protocol/contracts/Market.sol#L176-L183 https://github.com/sherlock-audit/2024-04-interest-rate-model/blob/main/protocol/contracts/Market.sol#L190-L197 https://github.com/sherlock-audit/2024-04-interest-rate-model/blob/main/protocol/contracts/Market.sol#L445-L458

Tool used

Manual Review

Recommendation

delete whenNotPaused limitation in repay assets function

santipu03 commented 6 months ago

This issue is invalid following the Sherlock guidelines:

An admin action can break certain assumptions about the functioning of the code. Example: Pausing a collateral causes some users to be unfairly liquidated or any other action causing loss of funds. This is not considered a valid issue.