You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Mar 3, 2024. It is now read-only.
sherlock-admin opened this issue
Aug 28, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
Malicious lender can prevent borrowers from repaying their loans.
Summary
Malicious lenders can prevent borrowers from repaying their loans using the onRepay function in the CoolerCallback contract.
Vulnerability Detail
When a malicious lender sees a loan request that they want to clear, they will use the clearRequest function and pass the isCallback_ argument as true. When the borrower tries to repay the loan(repayLoan), the code enters the following line and calls the onRepay function on the lender:
if (loan.callback) CoolerCallback(loan.lender).onRepay(loanID_, repaid_);
The onRepay function further calls the _onRepay internal function which can be defined in any possible manner. It could run an infinite loop causing out-of-gas errors or simply revert. It could be defined simply like this:
function _onRepay(uint256loanID_, uint256amount_) internalvirtualoverride{
revert("always reverts");
}
In this way, this onRepay function which is called when a borrower invokes the repayLoan function will always revert.
Impact
The borrower is never able to repay their loans. The lender is able to claim the collateral after the loan's expiry. Will be possible in cases where the loan-to-collateral ratio is low.
Maybe the protocol could limit the amount of gas that is sent to the onRepay function. Also, the project should check to see if the callback functions revert by wrapping it in a try-catch block.
sherlock-admin2
changed the title
Vast Mandarin Sparrow - Malicious lender can prevent borrowers from repaying their loans.
ni8mare - Malicious lender can prevent borrowers from repaying their loans.
Sep 12, 2023
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
ni8mare
high
Malicious lender can prevent borrowers from repaying their loans.
Summary
Malicious lenders can prevent borrowers from repaying their loans using the
onRepay
function in theCoolerCallback
contract.Vulnerability Detail
When a malicious lender sees a loan request that they want to clear, they will use the
clearRequest
function and pass theisCallback_
argument as true. When the borrower tries to repay the loan(repayLoan
), the code enters the following line and calls theonRepay
function on the lender:The
onRepay
function further calls the_onRepay
internal function which can be defined in any possible manner. It could run an infinite loop causing out-of-gas errors or simply revert. It could be defined simply like this:In this way, this
onRepay
function which is called when a borrower invokes therepayLoan
function will always revert.Impact
The borrower is never able to repay their loans. The lender is able to claim the collateral after the loan's expiry. Will be possible in cases where the loan-to-collateral ratio is low.
Code Snippet
https://github.com/sherlock-audit/2023-08-cooler/blob/main/Cooler/src/Cooler.sol#L185
Tool used
Manual Review
Recommendation
Maybe the protocol could limit the amount of gas that is sent to the
onRepay
function. Also, the project should check to see if the callback functions revert by wrapping it in a try-catch block.Duplicate of #187
The text was updated successfully, but these errors were encountered: