Some ERC20 tokens doesn't revert on failure. It just returns false.
This can lead to wrong state updates of pool.poolBalance in the pool, which can lead to loss of funds.
In setPool(Pool calldata p) function -> the transferFrom function can fail silently if the erc20 token doesnot revert on failure and just returns false.
Same case in addToPool(bytes32 poolId, uint256 amount) function. This can lead to wrong pool.poolBalance in the contract.
An attacker can become a lender and call setPool or addToPool without approving the contract to transfer erc20 tokens.
The transferFrom function will fail silenty and the subsequent lines will execute. The pool.PoolBalance will be set to the 'amount' parameter in the function.
The attacker now can withdraw from the pool using removeFromPool(bytes32 poolId, uint256 amount) without sending the tokens to the contract in the first place
The attacker can also use another wallet to borrow debt using borrow function. This will drain the contract.
Manual review
Use safeTransfer function from Openzeppelin. Some erc20 returns false even on success. So whitelisting specific tokens for use in the protocol is also recommended.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.