Flashloan cannot be obtained to delever during high utilization times

[c4-bot-3]

Lines of code

https://github.com/code-423n4/2024-07-loopfi/blob/57871f64bdea450c1f04c9a53dc1a78223719164/src/proxy/PositionAction.sol#L345-L369

Vulnerability details

Impact

User's won't be able to delever their positions during high pool utilization times

Proof of Concept

Loopfi offers leverage functionalities with increaseLever and decreaseLever. Both of these make use of the native flash loan to help an user increase/decrease their leverage

link

    function decreaseLever(
        LeverParams calldata leverParams,
        uint256 subCollateral,
        address residualRecipient
    ) external onlyDelegatecall {
        
        .....

        IPermission(leverParams.vault).modifyPermission(leverParams.position, self, true);
        uint loanAmount = leverParams.primarySwap.amount;
=>      flashlender.creditFlashLoan(
            ICreditFlashBorrower(self),
            loanAmount,
            abi.encode(leverParams, subCollateral, residualRecipient)
        );

But the flashloan internally calls the lendCreditAccount method of the pool inorder to borrow assets and this function has a check that the utilization must be below a certain level in order to borrow more assets

link

    function creditFlashLoan(
        ICreditFlashBorrower receiver,
        uint256 amount,
        bytes calldata data
    ) external override nonReentrant returns (bool) {
        uint256 fee = wmul(amount, protocolFee);
        uint256 total = amount + fee;

=>      pool.lendCreditAccount(amount, address(receiver));

lendCreditAccount -> _updateBaseInterest -> calcBorrowRate

link

    function calcBorrowRate(uint256 expectedLiquidity, uint256 availableLiquidity, bool checkOptimalBorrowing)
        public
        view
        override
        returns (uint256)
    {
        
        ....

        // If U > U_2 in `isBorrowingMoreU2Forbidden` and the utilization check is requested,
        // the function will revert to prevent raising utilization over the limit
        if (checkOptimalBorrowing && isBorrowingMoreU2Forbidden) {
            revert BorrowingMoreThanU2ForbiddenException(); // U:[LIM-3]
        }

Hence although user's are actually attempting to repay their debt when decreasing their leverage, they will not be able to do so because of the kept condition. This will cause user's who have leveraged relying on the flashloan unable to decrease their leverage during times of high utilization accruing greater borrow interest

Tools Used

Manual review

Recommended Mitigation Steps

Since flash loans will improve the balance of the pool, allow flashloan contracts to borrow even during times of high utilization rate

Assessed type

DoS

[c4-judge]

koolexcrypto changed the severity to QA (Quality Assurance)