Core Contracts

Summary

anyone can repay other users debt if canPaybackDebt is enabled by calling the function repayOnBehalf. So one can also pay a small amount(1 wei) debt for other users. If a borrower calls the repay function to repay his full debt, an attacker can call function repayOnBehalf with 1 wei amount and the borrower address as onBehalfOf and repay 1 wei debt before borrower repay function execution. Now the repay function(borrower calling) will revert due to underflow as the borrower has less(1 wei less) debt. Users may not know about the issue and they can alwayes call the repay function to repay full debt , and the attacker can function repayOnBehalf everytime to revert borrower transactions. As a result, borrower debt position may be liquidated if their position healtfactor becomes less than healthFactorLiquidationThreshold.

Vulnerability Details

** 1. Let’s assume, alice has 110 full debt and alice calls the function repay with 110 debt amount to repay full debt. Currently canPaybackDebt is enabled, so anyone can pay others debts.**

2. before alice’s repay function execution, an attacker calls the function repayOnBehalf with 1 wei amount and alice’s address as onBehalfOf, so alice’s 1 wei debt is paid by the attacker and now alice’s debt is 110 - 1wei.

3. now alice’s repay function execution will revert due to underflow because alice’s current debt is 110 - 1wei, but alice calls the repay function with 110 debt.

4. attacker can make alice repay transaction revert everytime by paying 1 wei debt before alice’s repay transaction execution.

**
**

Impact

Users may not know about the issue and they can alwayes call the repay function to repay full debt , and the attacker can function repayOnBehalf everytime to revert borrower transactions. As a result, borrower debt position may be liquidated if their position healtfactor becomes less than healthFactorLiquidationThreshold.

Tools Used

manual review

Recommendations

**make sure that attackers can’t dos the repay function. **