Summary

It has been identified where the buyLoan function, which allows a lender to buy an auction for a loan to transfer it to another pool, can be called by anyone, and it changes the lender of the pool to msg.sender. An attacker can exploit this flaw to steal loans and subsequently withdraw the associated balance.

Vulnerability Details

The vulnerability stems from the buyLoan function, which can be called by any user, not just the lender of the target pool. When executed, this function changes the lender of the loan to msg.sender, allowing any individual to assume the role of the loan's lender.

An attacker can exploit this vulnerability by creating a pool with a very high loan ratio. They can then borrow from this pool, effectively borrowing from themselves, to artificially inflate the outstandingLoans value. With this setup, the attacker can then proceed to "steal" loans by calling the buyLoan function for loans that are currently being auctioned. Once the attacker becomes the lender of these stolen loans, they can start receiving the balance associated with these loans. Using the removeFromPool, the attacker can later withdraw this balance, leading to financial losses for the original lenders.

Impact

This vulnerability can lead to significant financial losses for the original lenders as their loans can be maliciously acquired and the associated balances withdrawn by attackers.

Tools Used

Manual Review

Recommendation

To mitigate this vulnerability, it is recommended to revise the buyLoan function to change the lender of the loan to the lender of the target pool or include a check that ensures only the lender of the target pool can call this function with his poolId.