Skip to content
This repository has been archived by the owner on Mar 3, 2024. It is now read-only.

deadrxsezzz - If a lender has made a request and gives the loan to a new lender, the borrower can still accept the original lender's proposed terms #253

Closed
sherlock-admin2 opened this issue Aug 28, 2023 · 0 comments
Closed

deadrxsezzz - If a lender has made a request and gives the loan to a new lender, the borrower can still accept the original lender's proposed terms #253

sherlock-admin2 opened this issue Aug 28, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Aug 28, 2023
edited by sherlock-admin
Loading

deadrxsezzz

high

If a lender has made a request and gives the loan to a new lender, the borrower can still accept the original lender's proposed terms

Summary

If a lender has made a request and gives the loan to a new lender, the borrower can still accept the original lender's proposed terms

Vulnerability Detail

After a loan is active, the lender can propose new terms for it via provideNewTermsForRoll.

   function provideNewTermsForRoll(
        uint256 loanID_,
        uint256 interest_,
        uint256 loanToCollateral_,
        uint256 duration_
    ) external {
        Loan storage loan = loans[loanID_];

        if (msg.sender != loan.lender) revert OnlyApproved();

        loan.request =
            Request(
                loan.amount,
                interest_,
                loanToCollateral_,
                duration_,
                true
            );
    }

The lender can also transfer ownership of the loan to a new lender. The problem is that upon doing so, the requests for the loan are not cleared. This means that after transferring the ownership, the borrower can still accept the terms from the original lender, even if the new one finds them unfavorable.

Impact

New lender can be forced into unfavorable loan terms.

Code Snippet

https://github.com/sherlock-audit/2023-08-cooler/blob/main/Cooler/src/Cooler.sol#L282C2-L300C6

Tool used

Manual Review

Recommendation

Upon transferring ownership of a loan, clear all requests for it.

Duplicate of #26
@github-actions github-actions bot closed this as completed Sep 1, 2023
@github-actions github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Sep 1, 2023
@sherlock-admin sherlock-admin changed the title Generous Juniper Mink - If a lender has made a request and gives the loan to a new lender, the borrower can still accept the original lender's proposed terms deadrxsezzz - If a lender has made a request and gives the loan to a new lender, the borrower can still accept the original lender's proposed terms Sep 12, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Sep 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin @sherlock-admin2