Potential unauthorized loan repayment bug in repay() function
Summary
It's 3:13am in the morning, forgive me if I'm imagining bugs now, but this caught my eye. Can you imagine someone other than the borrower being able to call the repay() function and pay off the borrower's loan with their(msg.sender's) own funds?
Everything happens correctly it seems: The borrower gets back their collateral, the fee receiver gets their fee, and the good samaritan parts happily with their tokens to pay off the borrower's loan.
So it's either going to be a bittersweet griefing attacked borrower, or a really happy borrower. I dont remember reading in the docs that this is supposed to be intended functionality...and even if it was intended, surely the griefing attack vector is still possible and not intended. I rest my case.
Vulnerability Details
PoC:
Follow the white rabbit.
Impact
a bittersweet griefing attacked borrower(s), or a really happy borrower(s).
protocol reputation damage
?
Tools Used
VSC, manual, followed the white rabbit.
Recommendations
Dont make it possible for anyone other than the borrower to repay their loan.
add checks to ensure only borrower can call repay() function
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.