Calm Pine Robin
High
When a market is marked as deprecated, there is no check to ensure that borrowing from the market has been disabled. As a result, a user could borrow from this market and become immediately eligible for liquidation
here we can see that this code checks if the borrower is in the market if not adds him to the market so the borrower can continue borrowing https://github.com/sherlock-audit/2024-12-numa-audit/blob/ae1d7781efb4cb2c3a40c642887ddadeecabb97d/Numa/contracts/lending/NumaComptroller.sol#L420-L471 there is no check whatsoever that makes sure the borrower isnt borrowing from a deprecated market
while in the liquidation process the function allows the borrower to be liquidated instantly even if his position is healthy
function liquidateBorrowAllowed(
address cTokenBorrowed,
address cTokenCollateral,
address liquidator,
address borrower,
uint repayAmount
) external view override returns (uint) {
// Shh - currently unused
liquidator;
require((cTokenBorrowed) != (cTokenCollateral), "not isolate");
if (
!markets[cTokenBorrowed].isListed ||
!markets[cTokenCollateral].isListed
) {
return uint(Error.MARKET_NOT_LISTED);
}
uint borrowBalance = CToken(cTokenBorrowed).borrowBalanceStored(
borrower
);
/* allow accounts to be liquidated if the market is deprecated */
if (isDeprecated(CToken(cTokenBorrowed))) { /// ------>@audit
require(
borrowBalance >= repayAmount,
"Can not repay more than the total borrow"
);
} else {
/* The borrower must have shortfall in order to be liquidatable */
(
Error err,
,
uint shortfall,
uint badDebt
) = getAccountLiquidityIsolateInternal(
borrower,
CNumaToken(cTokenCollateral),
CNumaToken(cTokenBorrowed)
);
No response
No response
No response
loss of funds for borrower due to instant liquidation also the code adds the borrower to the market so this is very likely to happen
No response
dont allow borrrowers to borrow from a deprecated market