[M-03] Lender#setPool - Lender could create malicious ERC20-token to exploit borrower
Summary:
The setPool function within the provided smart contract allows lenders to establish lending pools. However, this functionality can be misused if a lender crafts a malicious ERC20 token to use as the lendingToken, potentially leading to various types of exploits that can harm borrowers and interfere with the contract's expected operations.
Vulnerability Details:
Lenders can utilize any ERC20 token, including those they've crafted themselves. This leaves an avenue open for maliciously designed tokens that behave unpredictably. Here are some examples:
-
The lender could customize
**transfer**and**transferFrom**used in**Lender.sol**in such a way that the function operations become gas intensive whenever the borrower (or third-party) callsIERC20(loan.loanToken).transfer(...)orIERC20(loan.loanToken).transferFrom(...). -
The lender could make the
**transfer**and**transferFrom**functions revert and only succeed when the market conditions benefit them. This makes it possible to control when the borrower can**borrow**and**repay**. Consider the following://Malicious ERC20-tokenfunction transferFrom((address sender, address recipient, uint256 amount) external override returns (bool) {if(!isAllowed) {revert("Failed")};// other code that mimics the transferFrom from OZ}function setIsAllowed(bool _isAllowed) external {isAllowed = _isAllowed;}
In the above-mentioned code, the lender could revert all calls to the contract until the borrow and/or repay calls present market conditions that fit the lender. When that is the case, the lender will simply call setIsAllowed(true) to allow the transferFrom (or transfer) to succeed.
Impact:
The above are only a few of the many malicious activities that can be exploited through a malicious ERC20-token. It opens up a large avenue of attack vectors that could exploit the borrower.
Tools Used:
Manual Review.
Recommendations:
Whitelisting Tokens: Only allow tokens that have been vetted and approved by the platform to be used. This will prevent the introduction of malicious tokens.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.