transferFrom function can fail silently leading to wrong pool.poolBalance. An attacker can become lender and remove or borrow the tokens without sending any funds to the contract for lending.
Summary
Some ERC20 tokens doesn't revert on failure. It just returns false.
This can lead to wrong state updates of pool.poolBalance in the pool, which can lead to loss of funds.
Vulnerability Details
In setPool(Pool calldata p) function -> the transferFrom function can fail silently if the erc20 token doesnot revert on failure and just returns false.
Same case in addToPool(bytes32 poolId, uint256 amount) function. This can lead to wrong pool.poolBalance in the contract.
Impact
An attacker can become a lender and call setPool or addToPool without approving the contract to transfer erc20 tokens.
The transferFrom function will fail silenty and the subsequent lines will execute. The pool.PoolBalance will be set to the 'amount' parameter in the function.
The attacker now can withdraw from the pool using removeFromPool(bytes32 poolId, uint256 amount) without sending the tokens to the contract in the first place
The attacker can also use another wallet to borrow debt using borrow function. This will drain the contract.
Tools Used
Manual review
Recommendations
Use safeTransfer function from Openzeppelin. Some erc20 returns false even on success. So whitelisting specific tokens for use in the protocol is also recommended.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.