HChang26 - Malicious lender can increase loan.amount #133

sherlock-admin2 · 2023-08-28T17:37:46Z

HChang26

high

Malicious lender can increase loan.amount

Summary

Lender can provideNewTermsForRoll and rollLoan on behalf of borrower when no new collateral is needed.

Vulnerability Detail

Let's take a look at provideNewTermsForRoll:

loan.request =
            Request(
                loan.amount,
                interest_,
                loanToCollateral_,
                duration_,
                true
            );

Lender can carefully craft a new Request that will not require newCollateral when rollLoan() is called:

// Check whether rolling the loan requires pledging more collateral or not (if there was a previous repayment).
        uint256 newCollateral = newCollateralFor(loanID_);
        uint256 newDebt = interestFor(loan.amount, loan.request.interest, loan.request.duration);

        // Update memory accordingly.
        loan.amount += newDebt;
        loan.collateral += newCollateral;
        loan.expiry += loan.request.duration;
        loan.request.active = false;

        // Save updated loan info in storage.
        loans[loanID_] = loan;

Since there is not sanity check, Lender is able to call rollLoan() on behalf of borrower. As a consequence, to increase the amount that has to be repaid.

Impact

Borrower has to repay more than expected in order to avoid

Code Snippet

https://github.com/sherlock-audit/2023-08-cooler/blob/main/Cooler/src/Cooler.sol#L282

https://github.com/sherlock-audit/2023-08-cooler/blob/main/Cooler/src/Cooler.sol#L192

Tool used

Manual Review

Recommendation

function rollLoan(uint256 loanID_) external {
+      if(msg.sender != owner()) revert();
        Loan memory loan = loans[loanID_];

        if (block.timestamp > loan.expiry) revert Default();
        if (!loan.request.active) revert NotRollable();

        // Check whether rolling the loan requires pledging more collateral or not (if there was a previous repayment).
        uint256 newCollateral = newCollateralFor(loanID_);
        uint256 newDebt = interestFor(loan.amount, loan.request.interest, loan.request.duration);

        // Update memory accordingly.
        loan.amount += newDebt;
        loan.collateral += newCollateral;
        loan.expiry += loan.request.duration;
        loan.request.active = false;

        // Save updated loan info in storage.
        loans[loanID_] = loan;

        if (newCollateral > 0) {
            collateral().safeTransferFrom(msg.sender, address(this), newCollateral);
        }

        // If necessary, trigger lender callback.
        if (loan.callback) CoolerCallback(loan.lender).onRoll(loanID_, newDebt, newCollateral);
    }

Duplicate of #26

The text was updated successfully, but these errors were encountered:

github-actions bot closed this as completed Sep 1, 2023

github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Sep 1, 2023

sherlock-admin changed the title ~~Boxy Gingham Elephant - Malicious lender can increase loan.amount~~ HChang26 - Malicious lender can increase loan.amount Sep 12, 2023

sherlock-admin added the Reward A payout will be made for this issue label Sep 12, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

HChang26 - Malicious lender can increase loan.amount #133

HChang26 - Malicious lender can increase loan.amount #133

sherlock-admin2 commented Aug 28, 2023 •

edited by sherlock-admin

Loading

HChang26 - Malicious lender can increase loan.amount #133

HChang26 - Malicious lender can increase loan.amount #133

Comments

sherlock-admin2 commented Aug 28, 2023 • edited by sherlock-admin Loading

Malicious lender can increase loan.amount

Summary

Vulnerability Detail

Impact

Code Snippet

Tool used

Recommendation

sherlock-admin2 commented Aug 28, 2023 •

edited by sherlock-admin

Loading