buyLoan() - anyone can become a lender even without having a pool
Summary
In lender.sol, the buyLoan() allows anyone to buy a loan during the auction period, even without owning the pool.
Vulnerability Details
The buyLoan() function doesn't check if the msg.sender is the lender of the new pool, and updates the loan.lender to msg.sender, which makes anyone to become a lender by actually not owning any pools.
https://github.com/Cyfrin/2023-07-beedle/blob/main/src/Lender.sol#L465
https://github.com/Cyfrin/2023-07-beedle/blob/main/src/Lender.sol#L518
Impact
ALice can see if any pools which are eligible for the onging auction(s), call the buyloan() function with the respective loans and poolIDs which will successfully repay the existing pool,and the new pool balance will be reduced for the debt amount, but the loan.lender will be updated with Alice address.
Once after that Alice can create a pool with of the same collateral and loan token.
This will make Alice a complete lender, which allows to call lender only functions to get the loan tokens or collateral tokens.
So, it allows Alice to earn the debt/collateral amount without spending/loosing anything.
Tools Used
Manual Review
Recommendations
In buyLoan() function, check can be done if msg.sender and pool,lender are same
loan details can be updated with pool details (lender address)
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.