Lender.giveLoan can be used to disallow withdrawing of funds
Summary
Lender.giveLoan can be used to disallow withdrawing of funds for another lender
Vulnerability Details
Lender.giveLoan can be called by owner of loan in order to give his loan to another lender. There is no need to ask new lender. In the end of this process new lender should pay funds, so his pool's balance decreases.
When lender wants to removeFromPool(receive funds), then he should have enough funds on his balance.
Any lender that have active loan can try to restrict another lender from withdrawing his funds by giveLoan function. as result another lender will not be able to withdraw funds.
Example.
I am owner of loan for 1000$ and i see that some another lender(that i don't like) wants to withdraw funds from his pool. He wants to use them. Then i just give him my loan, so it's not enough funds on his balance anymore.
Someone can say, that borrower also can frontrun lender to not allow withdraw funds, but it's not like that, because borrower should provide collateral and pay fee, while lender will do that for free.
Impact
Another lender is temporarily blocked from witdrawing
Tools Used
VsCode
Recommendations
I see this process only as agreement. Both lenders should want to do that operation.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.