Limiting the maximum debt by poolBalance can lead to loss of funds.
Summary
Maximum debt that can be borrowed is checked against poolBalance which can effectively lead to loss of funds.
Vulnerability Details
In borrow() of Lender.sol the borrower can borrow effectively large amount as long as the checks are not in place and loanToken and collateralToken are tokens with different price.
Impact
Borrower can borrow effectively arbitrage large amounts by putting low value token.
Proof of Concept
Let Alice create a pool with TokenA as loanToken and TokenB as collateralToken. Let USD prices of TokenA = 100$ and TokenB = 50$.
Let Bob be a borrower, he puts down 10 units of TokenB as collateral and borrows 8 uints of TokenA after factoring in the loanRatio and Fees.
Now Bob put down 10 * TokenB = 500$and got 8 * TokenA = 800$ which can even further be exploited by flashloans if the pool is sufficiently large.
Tools Used
Manual review
Recommendations
Since we are not using an oracle we can add a new field in the Pool struct:- maxAmountToLend which limits the borrow power by factoring in the actual prices of collateralToken and loanToken. maxAmountToLend is set by the lender.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.