Lines of code
<https://github.com/code-423n4/2023-11-betafinance/blob/0f1bb077afe8e8e03093c8f26dc0b7a2983c3e47/Omni_Protocol/src/OmniPool.sol#L303&gt;
<https://github.com/code-423n4/2023-11-betafinance/blob/0f1bb077afe8e8e03093c8f26dc0b7a2983c3e47/Omni_Protocol/src/OmniToken.sol#L152&gt;
<https://github.com/code-423n4/2023-11-betafinance/blob/0f1bb077afe8e8e03093c8f26dc0b7a2983c3e47/Omni_Protocol/src/OmniToken.sol#L180&gt;

Vulnerability details

Impact

MEV bot can frontrun user’s repayment to liquidate user first when the OmniPool is unpaused

Proof of Concept

this report tries to combine a few issue

1. when OmniPool is paused, interest is still accuring
2. when OmniPool is paused, user cannot repay
3. user cannot repay to make the account health, use can deposit more asset to make account health, but user can deposit but cannot withdraw, meaning user’s deposit fund is locked

note that the repay function has WhenNotPaused modifier

if the OmniPool is paused for a long period of time,

then a malicious liquidator can keep calling accure to force user pay the interest

and when when admin unpause the contract, there is no time lock for user to repay the debt to reduce the borrow account, and the user’s is forced to enter the unhealthy state

liquidator cannot liquidate user when the contract is paused, but they can monitor the unpause transaction

MEV bot can frontrun user’s repayment to liquidate user first when OmniPool is unpaused

or it is possible during the pause period, the collateral asset price drops and when contract unpaused, before user repay, MEV bot liquidate and seize user asset first to capture liquidation reward

Tools Used

Manual Review

Recommended Mitigation Steps

enable repayment even when contract is paused, applies a timelock window for user to repay the debt when contract is unpaused,

do not charge interest when contract is paused

Assessed type

Invalid Validation

---

The text was updated successfully, but these errors were encountered:

All reactions