Loan calls can be DoS'd by borrower if collateral is an ERC777

[c4-bot-5]

Lines of code

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/loan/LendingTerm.sol#L804

Vulnerability details

If a loan has not been repaid/partially repaid before the maxDelayBetweenPartialRepay, or when the gauge's term has been deprecated, anyone can call the loan in order to make it liquidatable.

This is done through an auction, where users can bid on the loan for a debt to repay, and a collateral to get.

The closing of the loan is done through LendingTerm::onBid where the assets are sent/taken from the different actors.

The issue is, as far as the collateral to send to the borrower is non-zero, the borrower can DoS the call by setting a callback that will make the transfer revert, making it impossible for other user to call its loan.

Impact

Loan are un-callable during the auction phase where collateral sent to borrower is non-zero, thus preventing the normal use of the protocol.

Proof of Concept

See

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/loan/LendingTerm.sol#L804

File: src\loan\LendingTerm.sol
725:     function onBid(
726:         bytes32 loanId,
727:         address bidder,
728:         uint256 collateralToBorrower,
729:         uint256 collateralToBidder,
730:         uint256 creditFromBidder
731:     ) external {
...:
...:		//[removed first part of the function]
...:
803:         // send collateral to borrower
804:         if (collateralToBorrower != 0) {
805: @>          IERC20(params.collateralToken).safeTransfer(		//@audit-issue if collateral token with callback, borrower can make onBid revert whenever he wants
806:                 loans[loanId].borrower,							//making his loan un-callable
807:                 collateralToBorrower
808:             );
809:         }
810: 
811:         // send collateral to bidder
812:         if (collateralToBidder != 0) {
813:             IERC20(params.collateralToken).safeTransfer(
814:                 bidder,
815:                 collateralToBidder
816:             );
817:         }
818: 
819:         emit LoanClose(
820:             block.timestamp,
821:             loanId,
822:             LoanCloseType.Call,
823:             creditFromBidder
824:         );
825:     }

Tools Used

Manual audit

Recommended Mitigation Steps

Do not use a push pattern here, but rather a pull pattern for the borrower.
This mean to have a specific function for borrower to get the collateral once the call has been completed.
This way, he cannot interfer with the calling process.

Assessed type

Math

[c4-pre-sort]

0xSorryNotSorry marked the issue as sufficient quality report

[c4-pre-sort]

0xSorryNotSorry marked the issue as duplicate of #685

[c4-judge]

Trumpero changed the severity to QA (Quality Assurance)

[c4-judge]

Trumpero marked the issue as grade-b

[c4-judge]

This previously downgraded issue has been upgraded by Trumpero

[c4-judge]

Trumpero marked the issue as not a duplicate

[c4-judge]

Trumpero marked the issue as duplicate of #184

[c4-judge]

Trumpero marked the issue as satisfactory

[c4-judge]

Trumpero marked the issue as unsatisfactory:
Out of scope