Not using SafeERC20
Summary
The codebase is using the IERC20 interface instead of the SafeERC20 library.
Vulnerability Details
The lending and borrowing process is designed to work with any ERC20 token. The standard requires tokens to return a boolean indiciating success, or to revert on failure when a method is called. The codebase currently only handles the latter case.
Impact
ERC-20 tokens returning a boolean false when methods like transfer or transferFrom fail instead of reverting are not properly handled by the system. For example, in Lender.sol @ function setPool(Pool calldata p), consider the following snippet:
If transferFrom fails, for example due to the caller not having the required token balance, the function would not detect the failure, and assume the tokens are received. This could be exploited by an attacker by subsequently withdrawing tokens that were deposited by other users.
Tools Used
None
Recommendations
Use the safe* methods, like safeTransfer and safeTransferFrom from the SafeERC20 library provided by OpenZeppelin throughout the codebase.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.