Unauthorized Loan Purchase in Lender contract
Summary
The Lender contract is vulnerable to unauthorized loan purchases, allowing anyone to call the buyLoan function with a poolId that they don't own. This vulnerability can be exploited by malicious actors to manipulate pool balances and exploit other lenders' funds.
Vulnerability Details
The vulnerability arises from the lack of validation in the buyLoan function. When a user calls the function, the loan lender is assigned based on msg.sender, while the pool.lender obtained from the poolId is not validated against msg.sender. This enables malicious actors to fabricate loans on their own pools with favorable conditions and use other lenders' pool balances to buy the loans. As a result, they can deduct funds from the victim pool while keeping their own loans intact. Subsequently, the actor can freely remove their loan from the pool or use the stolen balance to attack other pools.
Impact
The vulnerability allows malicious actors to exploit pool balances and misuse the funds of other lenders. By creating favorable loan conditions for themselves and utilizing other lenders' pool balances, they can cause significant financial losses for victim lenders and destabilize the overall lending ecosystem.
Tools Used
Manual Review
Recommendations
To mitigate unauthorized loan purchases, the contract should implement proper validation to ensure that msg.sender is the owner of the pool before allowing the buyLoan function to proceed.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.