Lender cannot use auction functionality if lender called loan when contract is paused
Summary
When the admin pause the contract auction functionality cannot be used because it has whenNotPaused modifier. Intention of protocol is that when contract is paused no new loan should be created. It is working as intended in auction function.
But the function call does not have whenNotPaused which will lead to non-use of auction functionality of lender if lender call the loan when contract is paused.
Suppose contract is paused and duration of lender is completed so lender call the loan and intends that loan will be gone into auction and new lender take over his loan. But the contract is paused so new lender cannot take over loan by calling action therefore lender cannot utilize the auction functionality of the protocol.
Also, when admin pause the contract, the ongoing auctions cannot be used which will be adverse for the lender.
If call function has whenNotPaused the lender cannot call his loan during that time and it will no other adverse impact for the protocol. Already protocol dont want to create new loan when contract is paused so there is no logic of letting lender to call his loan because auction cannot be called.
Root Cause
The call function does not have whenNotPaused modifier.
Internal pre-conditions
Admin pause the contract.
External pre-conditions
No response
Attack Path
Admin pause the contract.
A lender whose loan duration is over, call his loan.
Auction duration is started but new lender cannot use auction because contract is paused.
Lender cannot use the functionality of auction of his loan.
Impact
Lender cannot use the functionality of auction on his loan.
PoC
No response
Mitigation
Protocol should add whenNotPaused modifier in call function. It has no adverse impact and protect lender in such cases.
Striped Bronze Ferret
High
Lender cannot use auction functionality if lender called loan when contract is paused
Summary
whenNotPausedmodifier. Intention of protocol is that when contract is paused no new loan should be created. It is working as intended in auction function.https://github.com/sherlock-audit/2024-09-predict-fun/blob/main/predict-dot-loan/contracts/PredictDotLoan.sol#L561
calldoes not havewhenNotPausedwhich will lead to non-use of auction functionality of lender if lender call the loan when contract is paused.https://github.com/sherlock-audit/2024-09-predict-fun/blob/main/predict-dot-loan/contracts/PredictDotLoan.sol#L534
Suppose contract is paused and duration of lender is completed so lender call the loan and intends that loan will be gone into auction and new lender take over his loan. But the contract is paused so new lender cannot take over loan by calling action therefore lender cannot utilize the auction functionality of the protocol.
Also, when admin pause the contract, the ongoing auctions cannot be used which will be adverse for the lender.
If call function has
whenNotPausedthe lender cannot call his loan during that time and it will no other adverse impact for the protocol. Already protocol dont want to create new loan when contract is paused so there is no logic of letting lender to call his loan because auction cannot be called.Root Cause
The call function does not have
whenNotPausedmodifier.Internal pre-conditions
External pre-conditions
No response
Attack Path
Impact
Lender cannot use the functionality of auction on his loan.
PoC
No response
Mitigation
Protocol should add
whenNotPausedmodifier incallfunction. It has no adverse impact and protect lender in such cases.