giveLoan function can be used to send loans forcefully to another pool during market downturns.
Summary
giveLoan function can be used to send loans forcefully to another pool during market downturns.
Vulnerability Details
When markets are extremely volatile. Assume the loan token price is dropping very rapidly. It might be better to just withdraw the token from the pool and swap it into another (no matter what interest is generated on the loan). Then, a malicious lender could just forcefully call the function giveLoan and give his loans to another pool(with similar parameters), even when the other pool owner might not want the loan. This would decrease the new pool owner's balance without them really wanting to. In giveLoan function, the following would be updated:
The new pool owner/lender's poolBalance would decrease and the outstandingLoans would increase.
So, when they want to remove their balance from the pool using the removeFromPool function, they may not be able to as their pool balance is extremely low (depending upon how much debt was transferred to them via giveLoan, assume poolBalance to be 0 because of this). The following subtraction in removeFromPool would fail because of low poolBalance:
They might not be able to remove their loan tokens from the project. And by the time they can remove these tokens, the loan token might have dropped sharply already, and the user would end up with a loss.
The user/new pool owner may try to prevent this attack by changing maxLoanRatio of the pool, but they can be front-run before they call updateMaxLoanRatio function as the attacker would have already called the giveLoan function. The user/new pool owner may also try and start an auction. No one would be interested in buying it as the loan token is in freefall. The only way forward is to seize the collateral of the borrower of the loan. But, this would only happen when the auction ends which could last for days. But, by then it's already too late for the lender to sell his loan tokens. The borrower on the other hand will try to delay repaying this loan as the value he has to pay back will drop as time
passes. The borrower would essentially convert the loan token into a stable coin like USDC and when they have to repay the loan (before seizeLoan is called by the new pool owner/lender), they would convert it back to the loan token. But, the trade back into loan tokens from USDC would be profitable, as the loan token value is in a freefall, and the borrower could get the same amount of loan tokens for a lower amount of USDC. The remaining USDC would be his profit. The borrower here basically takes a short position. But, by then it's too late and the amount of the loan token that the new lender is able to claim back is very little in value.
Impact
giveLoan function can be used to send loans forcefully to another pool during market downturns. The new pool owner would end up with a lot of potential loss.
Tools Used
Manual review
Recommendations
It is recommended that the project have a parameter called giveLoanAllowed for each pool. If it's true, then the pool can be given loans, otherwise, the giveLoan function would revert. Also, it would be better if the project allows only a specific set of tokens. Currently, the pools can be created for any loan token.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.