[H-04] Lender#buyLoan - Malicious user could take over a loan for free without having a pool because of wrong access control
Summary
The buyLoan function within the Lender contract displays a critical vulnerability due to improper access controls. This loophole can potentially allow a malicious actor to gain unauthorized control over a loan.
Vulnerability Details
In the buyLoan function, we’re buying a loan that has gone to auction. A malicious user can send in the loanId to buy and a random poolId that passes the requirement checks in the function such as having an interestRate lower than the currentAuctionRate and that the pool is big enough.
The vulnerability exploit lies in these lines where we’re setting the msg.sender as the new lender.
Impact
A malicious user can exploit this oversight to gain unauthorized ownership of a loan despite not being the owner of the specified poolId. This not only compromises the security and trustworthiness of the lending protocol but can also lead to significant financial losses for legitimate users and lenders within the system.
Tools Used
Manual Review.
Recommendations
Implement an authorization check at the beginning of the buyLoan function. This should verify that the caller is the rightful owner of the specified poolId.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.