`Repay()` will fail if lender is blacklisted
Summary
The function that repays a loan repay attempts to transfer the loan token back to the lender. If the loan token implements a blacklist like the common USDC token, the transfer may be impossible and the repayment will fail.
Vulnerability Details
The function to repay the loan to the lender directly transfers the token to the pool:
this functions will fail if loan lender is blacklisted by the token.
If the lender controls a blacklisted address, they can use the lenderManager to selectively transfer the loan to / from the blacklisted whenever they want.
Impact
It makes the borrower unable to repay the loan and gets liquidated.
Consider the following scenario.
-
Alice uses 10 WETH as collateral to request to borrow 18000 USDC.
-
Bob and charlie want to exploit this vulnerability, and charlie is blacklisted in USDC.
-
Alice collateral is sent to Pool whose lender is Bob.
-
bob transfers the funds to charlie.
-
Alice wants to repay the loan, but since charlie cannot receive USDC, the transaction fails.
-
After alice defaults, charlie can withdraw alice's collateral
Tools Used
Recommendations
Use a push/pull pattern for transferring tokens. Allow repayment of loan and withdraw the tokens of the user into an escrow and allow lender to withdraw the repayment from escrow.
Here are the reference of same issues and this which is accepted earlier on sherlock
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.