Skip to content
This repository has been archived by the owner on Oct 22, 2023. It is now read-only.

MiloTruck - Borrower's reputation mark becomes permanent if his loan is defaulted and claimed by lender #484

Closed
sherlock-admin opened this issue Apr 22, 2023 · 1 comment
Closed

MiloTruck - Borrower's reputation mark becomes permanent if his loan is defaulted and claimed by lender #484

sherlock-admin opened this issue Apr 22, 2023 · 1 comment
Labels
Non-Reward This issue will not receive a payout Sponsor Disputed The sponsor disputed this issue's validity Won't Fix The sponsor confirmed this issue will not be fixed

Comments

@sherlock-admin
Copy link
Contributor

MiloTruck

medium

Borrower's reputation mark becomes permanent if his loan is defaulted and claimed by lender

Summary

Borrowers' reputation are not updated if a lender claims their defaulted loan, which will affect their reputation negatively forever.

Vulnerability Detail

In TellerV2.sol, if a loan is repaid or liquidated, the borrower's reputation mark is removed in the _repayLoan() function:

TellerV2.sol#L758-L761

        // If the loan is paid in full and has a mark, we should update the current reputation
        if (mark != RepMark.Good) {
            reputationManager.updateAccountReputation(bid.borrower, _bidId);
        }

As the ReputationManager.updateAccountReputation() function fetches a borrower's active bids using getBorrowerActiveLoanIds(), the bid is also removed from _borrowerBidsActive to prevent it from ever affecting the borrower's reputation in the future:

TellerV2.sol#L731-L732

            // Remove borrower's active bid
            _borrowerBidsActive[bid.borrower].remove(_bidId);

However, if the lender of a defaulted loan claims its collateral through the CollateralManager.withdraw() function, the borrower's reputation is not updated, and the bid is never removed from _borrowerBidsActive. This will cause the borrower to have a permanent defaulted loan in his reputation whenever someone calls ReputationManager.getDefaultedLoanIds().

Impact

Borrowers will have a permanent defaulted loan in their reputation for every defaulted loan that is claimed by a lender. This might cause them to be unable to get loans in the future as lenders rely on the reputation system to determine whose bids to accept.

Code Snippet

Tool used

Manual Review

Recommendation

In the CollateralManager.withdraw() function, consider updating the borrower's reputation and removing the bid from _borrowerBidsActive.
@github-actions github-actions bot added the Medium A valid Medium severity issue label May 1, 2023
@ethereumdegen ethereumdegen added the help wanted Extra attention is needed label May 4, 2023
@ethereumdegen ethereumdegen added Sponsor Disputed The sponsor disputed this issue's validity Won't Fix The sponsor confirmed this issue will not be fixed and removed help wanted Extra attention is needed labels May 12, 2023
@ethereumdegen
Copy link

Thank you for your response. You are right; when the lender claims collateral right now there is not a hook that updates the state on TellerV2 so the defaulted loan will remain on the borrowers record permanently. We are not going to change this at this time.

@sherlock-admin sherlock-admin added Non-Reward This issue will not receive a payout and removed Medium A valid Medium severity issue labels May 15, 2023
@nevillehuang nevillehuang mentioned this issue May 16, 2024
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Non-Reward This issue will not receive a payout Sponsor Disputed The sponsor disputed this issue's validity Won't Fix The sponsor confirmed this issue will not be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ethereumdegen @sherlock-admin @Trumpero