Attackers can create as many loans as possible for the collateral's owner #275
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-19
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/VaultImplementation.sol#L237-L244
https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/VaultImplementation.sol#L379-L395
Vulnerability details
Vulnerable detail
When borrowers want to take a loan, they can call
VaultImplementation.commitToLien()
. This function will first validate the commitment tothen transfer the loan from vault to receiver.
There are 2 things to note here is:
_encodeStrategyData
returns the hash =keccak256(abi.encode(STRATEGY_TYPEHASH, s.strategistNonce, strategy.deadline, root));
This will lead to a opportunity for attackers to use the same parameters (
s.strategistNonce
,strategy.deadline
,root
,v, r, s
) of the transaction that borrowers has used to take a loan before to create as many loans as possible for borrowers.This will make borrowers take more loans than they expected.
Impact
Borrowers take more loans than expected. Careless users who don't know about the new loans can be liquidated and lose their NFTs.
Tools Used
Manual review
Recommended Mitigation Steps
Consider to require
msg.sender
must be holder/operator when validate a commitment.The text was updated successfully, but these errors were encountered: