Anyone can update baseRatePerYear
#123
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate
This issue or pull request already exists
Comments
code423n4
added
3 (High Risk)
|
Duplicate of #22 |
|
Duplicate of issue #22 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/Plex-Engineer/lending-market/blob/755424c1f9ab3f9f0408443e6606f94e4f08a990/contracts/NoteInterest.sol#L118
Vulnerability details
Impact
In
NoteRateModel, the functionupdateBaseRatehas no access control. Therefore anyone could potentially call it and setbaseRatePerYearto an incorrect value, to extract funds from borrowers or drop borrowing cost for an attack.Proof of Concept
An attacker could set
baseRatePerYearto an arbitrarily high value close to max uint, which would lead to allNotesborrowers paying extremely high interests and losing funds before the admin could react.Recommended Mitigation Steps
Add a whitelisting requirement or an admin privilege for this function.
The text was updated successfully, but these errors were encountered: