Skip to content
This repository has been archived by the owner on Mar 3, 2024. It is now read-only.

ni8mare - rollLoan function can be called by anyone. #235

Closed
sherlock-admin2 opened this issue Aug 28, 2023 · 0 comments
Closed

ni8mare - rollLoan function can be called by anyone. #235

sherlock-admin2 opened this issue Aug 28, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Aug 28, 2023
edited by sherlock-admin
Loading

ni8mare

high

rollLoan function can be called by anyone.

Summary

rollLoan can be called by any malicious lender, changing the terms of the loans for the borrower without them wanting to.

Vulnerability Detail

As soon as a loan request is cleared by a lender, the same lender could immediately call the provideNewTermsForRoll and input a very high values for the interest_ and loanToCollateral_ parameters. The call executes since it is called by the same lender who cleared the loan and hence the check (if (msg.sender != loan.lender) revert OnlyApproved();) passes.

As there is no check on who calls the rollLoan function, the same lender can call this function before loan expiry. Also, since loanToCollateral_ was set to a very high value in the provideNewTermsForRoll function, the collateral required to be transferred can be a very small value and even zero depending on the value of loanToCollateral_. The required collateral is defined as:

    function collateralFor(uint256 amount_, uint256 loanToCollateral_) public view returns (uint256) {
        return (amount_ * (10 ** collateral().decimals())) / loanToCollateral_;
    }

So, if loanToCollateral_ is a big value, the collateral returned is a small value. Hence, the new collateral value can even be 0.

    function newCollateralFor(uint256 loanID_) public view returns (uint256) {
        Loan memory loan = loans[loanID_];
        // Accounts for all outstanding debt (borrowed amount + interest).
        uint256 neededCollateral = collateralFor(
            loan.amount,
            loan.request.loanToCollateral
        );

        return
            neededCollateral > loan.collateral ?
            neededCollateral - loan.collateral :
            0; //Note - zero can be returned. Meaning malicious lender need not transfer any collateral
    }

Impact

The debt that a borrower has to pay could be increased to an extremely high value by a malicious lender such that a user could even fail to repay it and in the process, the lender would steal the collateral after the loan's expiry.

Code Snippet

https://github.com/sherlock-audit/2023-08-cooler/blob/main/Cooler/src/Cooler.sol#L192

Tool used

Manual Review

Recommendation

Add a check to see that the rollLoan function is only called by the owner of the escrow, like rescindRequest function.

 if (msg.sender != owner()) revert OnlyApproved();

Duplicate of #26
@github-actions github-actions bot closed this as completed Sep 1, 2023
@github-actions github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Sep 1, 2023
@sherlock-admin sherlock-admin changed the title Vast Mandarin Sparrow - rollLoan function can be called by anyone. ni8mare - rollLoan function can be called by anyone. Sep 12, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Sep 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin @sherlock-admin2