Lender.sol - DOS Vulnerability Due to the Accrued Debt Interest Discrepancy
Summary
Lender.sol - DOS Vulnerability Due to the Accrued Debt Interest Discrepancy
Vulnerability Details
In Lender.sol, when a borrower attempts to cleanly refinance a loan without paying the debt yet, he prepares his refinance data based on the getter getLoanDebt function. This predetermined refinance.debt might be slightly smaller than the actual debt amount debtToPay at execution time due to accrued interest between the time of calculation and the blockchain transaction confirmation. If the borrower does not have extra loan tokens in their wallet, the refinance transaction could revert when trying to call transferFrom at line 642, preventing them from cleanly moving the loan to a different pool.
Impact
The vulnerability could cause the borrower to be griefed when attempting to refinance, especially if they want to relocate their loan without borrowing or paying more tokens. The slight discrepancy in the debt calculation can lead to failed refinance transactions, causing inconvenience and potentially locking the borrower's funds.
Tools Used
Manual Review
Recommendations
To mitigate this issue, it is recommended to provide an option in the refinance data that allows the borrower to indicate their intention to optimally move their loan without paying or borrowing additional tokens. This will prevent failed refinance attempts and ensure a smooth transition of the loan to a different pool.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.