You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on May 26, 2023. It is now read-only.
This was a design decision but we have decided to change it so that users can closeLoans, addCollateral or be liquidated when a collateral/vault is Paused.
Fixed here kree-dotcom/isomorph@be279b3 Collateral pausing has been modified to match Vault pausing. Because a user can closeLoan, addCollateral or be liquidated while a collateral is paused there is no reason to freeze interest accruing on the collateral. Like a paused Vault, the only action not possible when a collateral is paused is openLoan()
hansfriese
medium
The protocol shouldn't charge interests when paused
Summary
The protocol charges interest from users using
virtualPrice
and it increases when the protocol is paused.As a result, users would be forced to pay more interests and experience an unexpected liquidation.
Vulnerability Detail
The protocol has 3 kinds of the vault and each one has
pause/unpause
option bypausers
.Also, each collateral would be paused using
CollateralBook.pauseCollateralType()
.But it updates the
virtualPrice
during the paused period and the below scenarios would be possible.Scenario 1
Alice
opened a loan using some collaterals.liquidatable
one but she can't add collaterals(or close the loan) in the paused state.Bob
can liquidate her loan with front running.Scenario 2
Alice
opened a loan withminOpeningMargin = 101%
.minOpeningMargin = 105%
.Alice
wants to close her loan before it's applied because it's too high for her but she can't because it's paused.minOpeningMargin
is applied,Alice
will be forced to pay interests of the higherminOpeningMargin
for the paused period.When I check other protocols to charge interests, it's normal to enable some ways to protect their loans during the paused period for users.
Currently, all functions don't work in the paused mode and it shouldn't charge interests in this case.
Impact
Users might be forced to pay more interests or their loans might be liquidated unexpectedly.
Code Snippet
https://github.com/sherlock-audit/2022-11-isomorph/blob/main/contracts/Isomorph/contracts/CollateralBook.sol#L127
https://github.com/sherlock-audit/2022-11-isomorph/blob/main/contracts/Isomorph/contracts/Vault_Base_ERC20.sol#L85
https://github.com/sherlock-audit/2022-11-isomorph/blob/main/contracts/Isomorph/contracts/Vault_Velo.sol#L141
https://github.com/sherlock-audit/2022-11-isomorph/blob/main/contracts/Isomorph/contracts/Vault_Base_ERC20.sol#L203-L221
https://github.com/sherlock-audit/2022-11-isomorph/blob/main/contracts/Isomorph/contracts/Vault_Velo.sol#L248-L265
Tool used
Manual Review
Recommendation
We shouldn't increase the
virtualPrice
during the paused period.The text was updated successfully, but these errors were encountered: