Double Deduction of Debt in Refinance Can Cause Lock Of Funds
Summary
It has been identified that the debt is deducted twice from the pool balance during a refinance operation.
Vulnerability Details
The vulnerability arises from the refinance operation, where the debt is deducted twice from the pool balance. The first deduction occurs in line 636 using the _updatePoolBalance method, and the second deduction occurs in line 698 using pools[poolId].poolBalance -= debt;. This double deduction can allow anyone to keep refinancing their loan and subtracting the balance twice while the debt is only transferred once, potentially locking all the contract funds.
Impact
This vulnerability can lead to significant financial losses for the platform, as it allows anyone to lock all the contract funds by repeatedly refinancing their loan. It can also undermine the trust in the platform, leading to a decrease in its user base.
Tools Used
Manual Review
Recommendations
To mitigate this vulnerability, it is recommended to revise the refinance operation to ensure that the debt is only deducted once from the pool balance. The revised operation should be thoroughly tested to ensure its accuracy and to prevent potential financial losses.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.