Anyone Can Lock funds By preventing Repay and Seize and Starting an Auction
Summary
It has been identified that the buyLoan function, which is designed to allow the purchase of an auction for a loan to transfer it to another pool, can be called by any user. This function changes the lender of the loan to msg.sender, enabling anyone to lock the loan funds.
Vulnerability Details
The vulnerability arises from the buyLoan function, which can be called by anyone, not just the pool owner of the target pool. This function changes the lender of the loan to msg.sender, effectively allowing anyone to become the lender of a loan. An attacker can exploit this vulnerability to lock the loan funds by creating a pool with the same collateral token and the loan token, and start buying auctions transferring them to other pools with the same tokens, which will result in value of the debt taken from their balance, and also preventing them from performing any action on the loan (repay,seize,startAuction) since they are not the owner of them loan. The loan will be in the name of the attacker, and since their pool has no outstanding loans, the borrower cannot repay the loan and the lender cannot seize or give the loan.
Impact
This vulnerability can lead to significant financial losses since the loan's fund will be locked in the contract. An attacker can lock the loan funds, preventing the borrower from repaying the loan and the lender from seizing or giving the loan.
Tools Used
Manual Review
Recommendations
To mitigate this vulnerability, it is recommended to revise the buyLoan function to change the lender of the loan to the lender of the target pool or include a check that ensures only the lender of the target pool can call this function with his poolId.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.