Untrusted ERC20 tokens can be used
Summary
Untrusted ERC20 tokens can be used as loan tokens and as collateral tokens in a pool.
Vulnerability Details
In the setPool function any ERC20 tokens can be used. The tokens can be ERC20 Pausable or even ERC777 tokens, or any malicious ERC20 token that can manipulate transfers of tokens so that the loan tokens are not transferred to the contract. The whole process of lending and borrowing can be manipulated however the pool.lender wants.
Proof Of Concept
Let's imagine that a lender uses a malicious ERC20 token that on transferFrom does nothing. So now when the lender creates a pool with that token as a loan token, the loan tokens will not be transferred to the contract as transferFrom does not do what it is supposed to do. The same lender then calls removeFromPool that performs a transfer function (not transferFrom) to himself. If the Lender contract has of this tokens they will be transferred to the lender. Now the lender gets the loan tokens without depositing this tokens.
Impact
This leads to stealing users' funds. Unfair lending and borrowing.
Recommendations
Add a data structure with the allowed tokens so no malicious tokens can be used. Then add a check in the setPool function to see if the used ERC20 tokens are in the allowed tokens and if not just revert the transaction.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.