[G-01] Lender#refinance - Authorising the borrower of the loan so late wastes a lot of gas
Summary
The Lender#refinance function, designed to handle the refinance of multiple loans in one call, authorizes the borrower (or caller) relatively late in its execution. This can lead to wasted gas if an unauthorized caller initiates the transaction.
Vulnerability Details
Within the Lender#refinance function, there are multiple operations performed, including hash calculations and variable assignments, before reaching the authorization check:
This check ensures that the caller is indeed the borrower of the loan they are attempting to refinance. However, placing this check after several operations means that an unauthorized caller will end up consuming gas until the function execution reaches this check and then fails.
Impact
The main consequence of this design decision is unnecessary gas wastage. If an unauthorized user were to call the function, they would incur gas costs for operations preceding the authorization check.
Tools Used
Manual review.
Recommendations
Move Authorization Check to the Beginning: Shift the borrower authorization check to the start of the function or as close to the start as logically possible. By ensuring unauthorized callers fail fast, you minimize wasted gas.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.