Skip to content

Latest commit

 

History

History
63 lines (44 loc) · 2.75 KB

034.md

File metadata and controls

63 lines (44 loc) · 2.75 KB

Strong Gauze Hawk

Medium

Interests keeps accumulating even when protocol is paused

Summary

The repay() function doesn't have a notPaused modifier which means when the protocol is paused, users are still able to repay their debts to avoid forced and unfair liquidations. But the problem is that during repayment, the updateState() function is called which updates the borrowingIndex and also accrues interests

function repay(address asset, uint256 amount) external nonReentrant returns (uint256) {
        require(msg.sender == leverager, "borrower not leverager");
        DataTypes.ReserveData storage reserve = getReserve(asset);
        // update states
        reserve.updateState();

.....
function updateState(DataTypes.ReserveData storage reserve) internal {
        _updateIndexes(reserve);
    }

If the protocol intends to allow repayments during a pause to help users avoid liquidation, that's acceptable. However, accruing interest during the pause could still harm users because their debt increases even when they can't take other actions like borrowing more or depositing. This could lead to unintended liquidations once the protocol resumes.

function _updateIndexes(DataTypes.ReserveData storage reserve) internal {
        uint256 newBorrowingIndex = reserve.borrowingIndex;
        uint256 newTotalBorrows = reserve.totalBorrows;

        if (reserve.totalBorrows > 0) {
            newBorrowingIndex = latestBorrowingIndex(reserve);
            newTotalBorrows = newBorrowingIndex * (reserve.totalBorrows) / (reserve.borrowingIndex);

            require(newBorrowingIndex <= type(uint128).max);

            reserve.borrowingIndex = newBorrowingIndex;
            reserve.totalBorrows = newTotalBorrows;
        }
        reserve.lastUpdateTimestamp = uint128(block.timestamp);
    }

The updateState() function in reserve.updateState() updates the borrowing index based on the current time, which would include the period when the protocol was paused.

This means that the interest accrued during the pause is added to the debt. If the protocol is paused for a significant time, this could substantially increase the debt.

Borrowers should not face debt increases during protocol downtime

Impact

Borrowers’ debts grow via interest accrual even when the protocol is paused.

Recommendation

Modify updateState() to skip interest calculations when the protocol is paused.

Code snippets

https://github.com/sherlock-audit/2025-02-yieldoor/blob/main/yieldoor/src/LendingPool.sol#L190 https://github.com/sherlock-audit/2025-02-yieldoor/blob/main/yieldoor/src/libraries/ReserveLogic.sol#L150-L164 https://github.com/sherlock-audit/2025-02-yieldoor/blob/main/yieldoor/src/libraries/ReserveLogic.sol#L131-L133