Vulnerability in Token Transfers: Loan Collateralization and Liquidity Pool Exploits
Summary
This vulnerability in the protocol involves improper handling of token transfers using the IERC20.transfer and IERC20.transferFrom functions. Some ERC20 tokens return "false" on failed transfers instead of reverting, leading to multiple critical issues within the lending and borrowing system.
Vulnerability Details
The IERC20.transfer() and IERC20.transferFrom() functions return a boolean value indicating success. If the transfer fails, some tokens return false instead of reverting the transaction. Some tokens doesn't return a value at all. So transfer of ERC20 tokens need to be properly handled here.
If the debt or collateral tokens follow such a standard, the transfers can fail without reverting the transaction.
This can create multiple issues. If Token A returns false on failure instead of reverting the transaction, then:
-
An attacker can end up borrowing a loan without providing any collateral
If the collateral token for the loan is Token A, an attacker can cause the transfer of collateral to fail.
Lender.sol borrow() -
A lender might create a pool without having to provide any liquidity
An attacker can create a pool with Token A as debt token without actually providing any.
Lender.sol setPool() -
A borrower can end up providing collateral without receiving any loan
Borrower borrows loan
Transfer of loan (Token A) to borrower fails
Transfer of collateral to protocol is successful
To retrieve the collateral, the borrower must repay the full loan amount requested
There are multiple instances of such IERC20 token transfers, and each one poses a different risk. So this should be mitigated by properly handling the token transfers.
Impact
For some ERC20 tokens, the vulnerability allows borrowers to obtain loans without providing any collateral, lenders to create liquidity pools without contributing any liquidity, and borrowers to offer collateral without receiving the intended loan. This malfunction in token transfer handling poses significant risks to the security and stability of the protocol's loan collateralization and liquidity pool mechanisms.
Tools Used
Manual review
Recommendations
Use OpenZeppelin's SafeERC20 versions with the safeTransfer and safeTransferFrom function that handles the return value check.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.