Lender can compound borrower's debt via `giveLoan`
Summary
By abusing the giveLoan function, a lender can compound a borrower's debt.
Vulnerability Details
The giveLoan method allows a lender to move a loan to another pool. First, the totalDebt is calculated, which consist of the borrowed amount plus pending interest:
Then, the totalDebt is moved into the new pool, by borrowing that amount:
The issue is that the pending interest gets treated as debt, meaning the borrower now also pays interest on the already pending interest, effectively compounding his debt. A lender can abuse this behaviour by periodically (e.g. once or multiple times a day) calling giveLoan to move the loan to himself (same pool or another pool controlled by himself) in order to compound the user's debt.
Impact
By compounding the user's debt over a longer period, he will pay a significantly higher effective interest rate than he agreed to.
Also note that the same faulty implementation is present in buyLoan.
Tools Used
None
Recommendations
When moving a loan, the pending interest should not be treated as debt, but instead be tracked seperately, so that it does not accumulate further interest. How exactly this is implemented is up to the developers to decide.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.