ERC777 can break the term and cause every lender to get liquidated

[c4-bot-3]

Lines of code

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/LendingTerm.sol#L804-L817

Vulnerability details

Impact

One of the attack vectors that the developers want us to check is malicious collateral. One such vector could be ERC777, as its use as collateral could result in every liquidation causing bad debt.

Proof of Concept

After borrowers miss their partial payments, anyone can call them and start an auction. When a user thinks they will profit from the liquidation, they can bid on the auction. In this process, they pay the bad debt for some collateral, and the remaining collateral is returned to the borrower.

if (collateralToBorrower != 0) {
   IERC20(params.collateralToken).safeTransfer(loans[loanId].borrower, collateralToBorrower);
}

if (collateralToBidder != 0) {
   IERC20(params.collateralToken).safeTransfer(bidder, collateralToBidder);
}

However, this can be dangerous, as borrowers can revert the transaction when they receive the collateral. This way, they can prevent any bid below the mid-point, and after the mid-point, bids can cause bad debt.

Example:

• ERC777 is used as collateral.

1. A competitor of ECG wants to harm its reputation, so he borrows the minimum allowed amount.

2. He leaves the loan open and intentionally misses his first payment.

3. Alice tries to liquidate this borrower, however, every transaction before the mid-point is reverted by the borrower's smart contract.

4. The mid-point passes, and the borrower no longer receives collateral, preventing them from reverting the transaction.

5. Alice successfully liquidates the borrower after the mid-point, but this causes the gauge to be slashed as a very small amount of bad debt accrues.

Note that the borrower can borrow the maximum allowed loan token for their collateral. If the minimum ratio is worth 100 USD, and maxDebtPerCollateralToken is 80%, the borrower can borrow 80 USD, effectively causing the gauge to be slashed for only 20 USD.

Tools Used

Manual review.

Recommended Mitigation Steps

Implement push instead of pull. This way, borrowers will not be able to cause unnecessary damage to the protocol.

Assessed type

ERC20

[c4-pre-sort]

0xSorryNotSorry marked the issue as sufficient quality report

[c4-pre-sort]

0xSorryNotSorry marked the issue as duplicate of #685

[c4-judge]

Trumpero changed the severity to QA (Quality Assurance)

[c4-judge]

Trumpero marked the issue as grade-b

[c4-judge]

This previously downgraded issue has been upgraded by Trumpero

[c4-judge]

Trumpero marked the issue as not a duplicate

[c4-judge]

Trumpero marked the issue as primary issue

[Trumpero]

I consider this issue to be distinct from issue #685, as a borrower can just use ERC777's hook to prevent bidding and create losses for lending terms. Since the contest docs didn't exclude ERC777, I believe this should be a medium.

[c4-judge]

Trumpero marked the issue as satisfactory

[c4-judge]

Trumpero marked the issue as selected for report

[c4-sponsor]

eswak (sponsor) acknowledged

[serial-coder]

Hi @Trumpero,

The sponsor confirmed to us in Discord that ERC-777 is not supported.

[Trumpero]

@serial-coder Thanks for providing information. Based on the sponsor's statement in the public channel, this issue should be marked as OOS.

[c4-judge]

Trumpero marked the issue as unsatisfactory:
Out of scope