Malicious user can drain the contract of funds
Summary
Malicious user can drain the funds of Lender.sol contract by utilizing setPool function
Vulnerability Details
setPool function in Lender.sol allows a lender to modify the parameters of his pool.
The setPoll function allows lender to modify the pool balance also. If the new balance is
greater than current one, the funds are transferred from lender's account into the contract.
When the pool balance provided is less than the current balance then the contract sends the
difference to the lender. But instead of utilizing the loanToken stored in the contract in
pools structure, the setPool function makes use of the lender passed loanToken. Lender
can pass a different loanToken and drain the contract of that token.
Consider the following scenario:
There are 2 tokens A and B.
Bob creates a new pool with 100 token A as loanToken
Alice creates a new pool with 100 token B as loanToken
Malicious lender calls
setPollagain but withp.loanToken= Token B andp.poolBalance= 50The line no 159 in
Lender.solis executed and (100-50)=50 token B are sent to Malicious lender.
Impact
Malicious lender can steal funds from the contract.
Tools Used
Manual Review
Recommendations
Use the loanToken set initially when creating a loan instead of the user-passed parameter
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.