Lack of input validation in buyLoan() for loanId & poolId
Summary
Lack of input validation in buyLoan() for loanId & poolId.
Vulnerability Details
Obviously for non-existent or zero loanId & poolId, the problem is clear, but there's no checks against this. The function could behave unpredictably.
And then we have the case where selected poolId could be the same pool as the existing/current loanId's pool, effectively means the auctioned loanId could be bought by its own pool...
Impact
Invalid transfer of fee to fee receiver/governance, potentially messing up protocol/governance accounting, and potentially messes up the internal accounting of the pool.
Tools Used
VSC, manual.
Recommendations
Add checks, probably if statements, to check whether the loanId and poolId exist, or are >= minimum Id value.
After the following statement on L467, add the check for existence of loanId:
Loan memory loan = loans[loanId];
if (loan.borrower == address(0)) revert LoanNotExist();
And after the above line, can add a check for poolId's existence:
if (pools[poolId].lender == address(0)) revert PoolNotExist();
And finally, add a check to ensure new/selected poolId is not equal to old poolId, can add this check after L493-L497:
if (poolId == oldPoolId) revert InvalidPool();
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.