Suppression of RatioTooHigh() Permits Withdrawals Exceeding Collateral Value: A Potential Risk
Summary
Currently, the protocol allows borrowers to access loans with a value significantly higher than the collateral they provide. This could lead to undesired outcomes.
Vulnerability Details
At present, a lender can establish a pool with potentially risky maxLoanRatio values. This has been illustrated in the test suite, where a value of 2 (multiplied by 10^18) is used. As a result, the borrow function is susceptible to exploitation as its RatioTooHigh exception doesn't trigger, preventing the function from reverting.
For instance, a call to borrow(debt=1e20, collateral=4.999e19) will succeed. This means a debt of more than double the collateral's value can proceed. This is not unexpected, as a pool with maxLoanRatio: 2 * 10 ** 18 is allowed to be created. Moreover, note the debt-to-collateral ratio in this case, i.e., 1e20 : 4.99e19 > 2. Due to Solidity's arithmetic handling, the actual debt can still be more than twice that of the collateral.
Impact
This issue could potentially incentivize borrowers to exploit the system, leading to significant losses for unsuspecting lenders.
Tools Used
Fuzz Testing, Foundry
Recommend Mitigation
Ideally, the loan-to-value (LTV) should not exceed 1. From a technical standpoint, the maxLoanRatio should not be allowed to be more significant than 0.95 or a similar value. This precaution is due to Solidity's arithmetic handling method, as described above. The precise value may be determined by conducting a simple Solidity arithmetic experiment. The maxLoanRatio should be checked in setPool function and ideally it should revert if the maxLoanRatio exceeds this value.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.