Loans might end up being repayed only on paper
Summary
When repaying a loan, the pool balance is updated so that the loan repayment is accounted for, but after that the actual transfer of loan tokens to the pool is done via an unsafe transfer call. This might leave the loan paid on paper but not in reality which essentially means the pool just incurred a loss.
Vulnerability Details
Some ERC20 tokens do not revert on failed transfer calls, which can benefit a borrower in a scenario when they repay their loan but the transfer of loan tokens from them to the pool fails. The transfer will be reflected in the pool's loan tokens balance in state, the loan will be deleted from state and the borrower will get to keep their loan tokens + will have back their collateral.
Impact
Because of this, the pool will now not be able to collect the loans, has no collateral and might end up insolvent for the benefit of the borrower.
Tools Used
Manual review
Recommendations
Use a safeTransfer() when transferring loan tokens from borrower to pool or simply require that the transfer call returned true as a result.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.