Borrower might end up having to repay more than borrowed
Summary
When borrowing, the loan tokens balance of the pool from which is being borrowed is updated first (_updatePoolBalance(poolId, pools[poolId].poolBalance - debt)) and then loan tokens are proceeded to be transferred to the borrower. As there are some ERC20 tokens that do not revert on transfer failures, a borrower might end up having a loan on their tab without having actually having received the loan tokens they intended to borrow.
Vulnerability Details
As a result, the borrower will now have deposited collateral which if they want to withdraw back, they'll have to repay the amount of loan tokens they intended to borrow + fees back to the pool which essentially will incur a loss to the borrower and unintentionally benefit the pool.
Impact
Borrower has to pay what they intended to borrow without receiving it.
Tools Used
Manual review
Recommendations
Use safeTransfer when transferring loan tokens to borrower or just ensure the transfer call returned true as a result.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.