Skip to content
This repository has been archived by the owner on Mar 3, 2024. It is now read-only.

evilakela - Lender can roll loan with arbitrary terms #147

Closed
sherlock-admin2 opened this issue Aug 28, 2023 · 0 comments
Closed

evilakela - Lender can roll loan with arbitrary terms #147

sherlock-admin2 opened this issue Aug 28, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Aug 28, 2023
edited by sherlock-admin
Loading

evilakela

high

Lender can roll loan with arbitrary terms

Summary

Lender can provideNewTermsForRoll and then rollLoan with these terms because it permissionless.

Vulnerability Detail

Basicly it allow lender to arbitrary set interest, LTC and duration - increase debt as he wants. This may require to pledge additional collateral (or may not if decrease LTC), but if debt increase is huge, borrower won't repay and anyway lose collateral.
Attack path:

  1. lender clears loan
  2. calls provideNewTermsForRoll with huge interest rate to drascticly increase debt, small duration and smaller ltc to not provide additional collateral
  3. calls rollLoan
  4. now borrowers forced to lose collateral or pay huge debt

Impact

Lender arbitrary increase loan debt. Borrower lose collateral if don't repay.

Code Snippet

https://github.com/sherlock-audit/2023-08-cooler/blob/main/Cooler/src/Cooler.sol#L192-L217
https://github.com/sherlock-audit/2023-08-cooler/blob/main/Cooler/src/Cooler.sol#L282-L300

Tool used

Manual Review

Recommendation

Make rollLoan callable only by borrower (and maybe trusted party like Clearinghouse)

Duplicate of #26
@github-actions github-actions bot closed this as completed Sep 1, 2023
@github-actions github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Sep 1, 2023
@sherlock-admin sherlock-admin changed the title Innocent Lilac Cyborg - Lender can roll loan with arbitrary terms evilakela - Lender can roll loan with arbitrary terms Sep 12, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Sep 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin @sherlock-admin2