Submission Details
Severity:
buyLoan not check loanRatio > pool.maxLoanRatio
Summary
buyLoan only check interestRate > currentAuctionRate, not check loanRatio > pool.maxLoanRatio, which will cause the pool to lose money.
And caller can designate any pool, even if they don't own it, which gives caller enormous power to manipulate the pool, causing it to go into debt.
Vulnerability Details
// get the loan info
Loan memory loan = loans[loanId];
// validate the loan
if (loan.auctionStartTimestamp == type(uint256).max)
revert AuctionNotStarted();
if (block.timestamp > loan.auctionStartTimestamp + loan.auctionLength)
revert AuctionEnded();
// calculate the current interest rate
uint256 timeElapsed = block.timestamp - loan.auctionStartTimestamp;
uint256 currentAuctionRate = (MAX_INTEREST_RATE * timeElapsed) /
loan.auctionLength;
// validate the rate
if (pools[poolId].interestRate > currentAuctionRate) revert RateTooHigh();
// calculate the interest
(uint256 lenderInterest, uint256 protocolInterest) = _calculateInterest(
loan
);
The two problems mentioned above can be clearly seen in the code, no further details
Impact
The caller can specify any poolId. If maxLoanRatio is not met, the pool will lose money.
Tools Used
Manual review
Recommendations
require loanRatio <= pool.maxLoanRatio
Prize pool breakdown
Total prize
20,000 USDC
nSLOC
70628 USDC / LOC
18,000 USDC
2,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.