Vulnerability Report: Unauthorized Loan Purchase and Collateral Withdrawal

Overview

This vulnerability report highlights a security flaw identified in the lending system's in functionbuyLoan. The vulnerability allows a malicious actor to exploit the auction system, manipulate pool balances, and gain unauthorized ownership of loans, potentially leading to significant financial losses and disruption of the lending platform.

Vulnerability Description

The vulnerability arises due to insufficient validation and checks within the buyLoan function. It enables the malicious actor to buy a loan from the auction using a poolId that they do not own (i.e., they are not the lender of the pool). As a result, the function incorrectly updates the loan's ownership to the malicious actor's address without requiring any collateral transfer.

Exploitation Steps

1. Unauthorized Loan Purchase:

   • The malicious actor identifies a loan in the auction and decides to purchase it.

   • Using the buyLoan function, the malicious actor passes a poolId that they do not own (they are not the lender of this pool).
     and also may not Have the same loanTokens and collateralTokens ,since there are no checks for mismatching tokens which gives the malicious actor a lot of choice from pools.

   • As a result, the function updates the loan ownership to the malicious actor's address while taking the debt from the pool provided by the malicious actor.

2. Unintended Pool Balance Update:

   • Since the malicious actor has used a poolId that they do not own, the function incorrectly updates the pool balance of this pool.

   • The pool balance is decreased by the total debt amount (loan debt + lender interest + protocol interest) without proper checks, causing a loss of funds from the pool.And the decrease in balance will never be paid to this pool again.

3. Loan Auction Manipulation:

   • Now that the malicious actor owns the loan, they can create a new pool with the same loanToken and collateralToken as the stolen loan.

   • The malicious actor places the loan from the previous step into the new pool for auction.(he can set the auction as short as he want)

   • However, due to the incorrect pool balance in the new pool, no one will be able to buy this loan from the auction. cause this will always revert :

   pools[oldPoolId].outstandingLoans -= loan.debt.

4. Collateral Withdrawal and Loan Repayment:
   if you understanding the contract, you may now think ,but how the malicious actor can withdraw this funds, since his outstandingLoans is zero ❓❓
   
   well :

   • After the auction is done, the malicious actor puts the loan token into their pool as collateral.

   • The malicious actor borrows the same amount (or max close) of debt from their pool by providing the minimum amount of callateral(1 token)and he will be able to do that by setting the maxLoanRatio to a large amount.

   • With the pool now holding the loanTokens and the malicious actor holding the loan debt, the outstanding loan balance in the pool increases accordingly.

   • The malicious actor then calls the seizeLoan function to withdraw the maximum amount of collateral from the stolen loan.

   • No the malicious actor end up with the borrowed tokens (that equal to the collateral that he provide or little less when he borrow), and the collateral stolen.

     NOTICE The malicious actor may do this in one transaction to avoid front running

Impact

The impact of this vulnerability is severe and multi-faceted:

1. Financial Losses: The incorrect pool balance updates lead to a loss of funds from the targeted pool, causing financial losses for legitimate users and liquidity providers.

2. Unauthorized Loan Ownership: The malicious actor gains unauthorized ownership of loans without providing the required collateral, undermining the security and integrity of the lending platform.

3. Auction Manipulation: The malicious actor can manipulate the auction system, making certain loans unobtainable by others, potentially disrupting the loan market.

4. Misuse of Loan Tokens: The malicious actor obtains loan tokens as a borrower without intending to repay them, leading to a reduction in available loan tokens and affecting the lending platform's stability.

Recommended Mitigation Steps

in the function buyLoan check:

POC

A proof of concept (PoC) test is available in the contract's repository: testLender.t.sol