20,000 USDC
View results
Submission Details
Severity: high

transferFrom function can fail silently leading to wrong pool.poolBalance. An attacker can become lender and remove or borrow the tokens without sending any funds to the contract for lending.

Summary

Some ERC20 tokens doesn't revert on failure. It just returns false.
This can lead to wrong state updates of pool.poolBalance in the pool, which can lead to loss of funds.

Vulnerability Details

In setPool(Pool calldata p) function -> the transferFrom function can fail silently if the erc20 token doesnot revert on failure and just returns false.
Same case in addToPool(bytes32 poolId, uint256 amount) function. This can lead to wrong pool.poolBalance in the contract.

Impact

An attacker can become a lender and call setPool or addToPool without approving the contract to transfer erc20 tokens.
The transferFrom function will fail silenty and the subsequent lines will execute. The pool.PoolBalance will be set to the 'amount' parameter in the function.
The attacker now can withdraw from the pool using removeFromPool(bytes32 poolId, uint256 amount) without sending the tokens to the contract in the first place
The attacker can also use another wallet to borrow debt using borrow function. This will drain the contract.

Tools Used

Manual review

Recommendations

Use safeTransfer function from Openzeppelin. Some erc20 returns false even on success. So whitelisting specific tokens for use in the protocol is also recommended.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.