-
Notifications
You must be signed in to change notification settings - Fork 6
immeas - bids can be created against markets that doesn't exist #323
Comments
A user creating a bid for a market that does not yet exist yet COULD exist in the future is potentially a concern. For example an attacker could see that there are bids open for market 88, create markets until market 88 exists , and then fulfill those loans with whatever rules they want. Our user interface on the front end will prevent bids from being created with an invalid market ID so in reality this should not be an issue but in solidity strictly yes this is a valid issue. Thank you. |
We should make a function name isMarketOpen that verifies that 1) the marketId is less than the number of markets and 2) the market is not closed and we should use that in submitBid instead of !isMarketClosed |
Escalate for 10 USDC |
You've created a valid escalation for 10 USDC! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
Escalate for 10 USDC This is valid issue. This scenario not only applied with borrower accidentally create to a non-existing market. Consider this scenario, malicious borrower listen to The attacker then front run the market creation and create malicious borrow offer trough TellerV2 's 0% APY is part of malicious borrower input so it is realistic. This is valid issue, caused by the relatively easy and likely setup, and also caused the following impact :
|
You've created a valid escalation for 10 USDC! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
Github PR: Issue 323 - add check for is market open |
Escalation accepted Valid medium |
|
Fix looks good. Creates and utilizes a new check called "isMarketOpen" which requires that specified market exists |
immeas
medium
bids can be created against markets that doesn't exist
Summary
Bids can be created against markets that does not yet exist. When this market is created, the bid can be accepted but neither defaulted/liquidated nor repaid.
Vulnerability Detail
There's no verification that the market actually exists when submitting a bid. Hence a user could submit a bid for a non existing market.
For it to not revert it must have 0% APY and the bid cannot be accepted until a market exists.
However, when this market is created the bid can be accepted. Then the loan would be impossible to default/liquidate:
https://github.com/sherlock-audit/2023-03-teller/blob/main/teller-protocol-v2/packages/contracts/contracts/TellerV2.sol#L963
Since
bidDefaultDuration[_bidId]
will be0
Any attempt to repay will revert due to division by 0:
https://github.com/sherlock-audit/2023-03-teller/blob/main/teller-protocol-v2/packages/contracts/contracts/libraries/V2Calculations.sol#L116-L117
Since
_bid.terms.paymentCycle
will also be0
(and it will always end up in this branch sincePaymentType
will beEMI (0)
).Hence the loan can never be closed.
PoC:
Impact
This will lock any collateral forever since there's no way to retrieve it. For this to happen accidentally a borrower would have to create a bid for a non existing market with 0% APY though.
This could also be used to lure lenders since the loan cannot be liquidated/defaulted. This might be difficult since the APY must be 0% for the bid to be created. Also, this will lock any collateral provided by the borrower forever.
Due to these circumstances I'm categorizing this as medium.
Code Snippet
https://github.com/sherlock-audit/2023-03-teller/blob/main/teller-protocol-v2/packages/contracts/contracts/TellerV2.sol#L334-L411
Tool used
Manual Review
Recommendation
When submitting a bid, verify that the market exists.
The text was updated successfully, but these errors were encountered: