Anyone can update baseRatePerYear
#123
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate
This issue or pull request already exists
Lines of code
https://github.com/Plex-Engineer/lending-market/blob/755424c1f9ab3f9f0408443e6606f94e4f08a990/contracts/NoteInterest.sol#L118
Vulnerability details
Impact
In
NoteRateModel
, the functionupdateBaseRate
has no access control. Therefore anyone could potentially call it and setbaseRatePerYear
to an incorrect value, to extract funds from borrowers or drop borrowing cost for an attack.Proof of Concept
An attacker could set
baseRatePerYear
to an arbitrarily high value close to max uint, which would lead to allNotes
borrowers paying extremely high interests and losing funds before the admin could react.Recommended Mitigation Steps
Add a whitelisting requirement or an admin privilege for this function.
The text was updated successfully, but these errors were encountered: