Missing check for Lender.updateMaxLoanRatio()
Summary
Missing check for Lender.updateMaxLoanRatio() could cause lender borrowing more token than they are entitled to
Vulnerability Details
In Lender.sol, updateMaxLoanRatio() does not check the max loan ratio is within a reasonable range. This means that the malicious lender could set the max loan ratio to an unrealistic level, which could allow them to borrow more loan tokens than they are entitled to. https://github.com/Cyfrin/2023-07-beedle/blob/main/src/Lender.sol#L210-L215
Impact
The function updateMaxLoanRatio allows the lender to update the max loan ratio to any value. This means that the lender could set the max loan ratio to an unrealistic level, such as 1000000. This would allow the lender to borrow more loan tokens than they are entitled to, which could have negative consequences for the pool.
The reasonable range for the max loan ratio would depend on the specific pool. However, it would typically be less than 100%. This is because the lender should not be able to borrow more loan tokens than the value of the collateral tokens they have deposited. For example, if the lender deposits 1000 loan tokens, then the max loan ratio should be less than 1000. This would ensure that the lender cannot borrow more than 1000 loan tokens.
Tools Used
Manual Review
Recommendations
Add a require statement that checks the maxLoanRatio is less than or equal to a certain value.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.