Not checking return value of transferFrom
Summary
A lender can set a pool without actually providing any loan tokens to the lender.sol contract
Vulnerability Details
There are some tokens that do not revert if the transfer of tokens was unsuccessful instead they return boolean false value.Due to this property a malicious lender can set a pool without transfering the loan tokens to the contract.In this way the lender can set poolBalance as much as he wants without transfering the tokens.The lender can even set the pool with new pool balance i.e p.poolBalance < currentBalance and get loan tokens from the lender.sol contract. Not only this lender can also call increase the pools balance by calling addToPool function even if the lender doesn't have the required loan tokens.
Impact
Lender can earn debt + interest without depositing the loan tokens to the lender.sol contract as we give the borrower loan tokens from the lender.sol contract which contains loan tokens and gives loans using the tokens of other lenders as well having same loan tokens.The lender can even steal from the lender.sol contract the loan tokens of other lenders by setting p.poolBalance < currentBalance and get loan tokens for free.
Tools Used
Manual review
Recommendations
Add the line
require(IERC20(p.loanToken).transferFrom(
p.lender,
address(this),
p.poolBalance - currentBalance
),"transfer failed") or anything like this which checks for the boolean returned
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.