Can re-onboard a lending term which hasn't been properly cleaned up, allowing it to be immediately offboarded at any time

[c4-bot-8]

Lines of code

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/governance/LendingTermOffboarding.sol#L154

Vulnerability details

Impact

If a LendingTerm is re-onboarded after being offboarded but before being cleaned up with LendingTermOffboarding.cleanup, the canOffboard[term] mapping will be set to true, allowing the LendingTerm to be offboarded at any time by anyone. This can be done to grief borrowers and gauge voters.

Proof of Concept

When a LendingTerm is offboarded, it's important that it goes through the two step process of offboard and cleanup. This is necessary because cleanup marks canOffboard[term] as false, preventing offboarding of the term without a successful proposal.

// LendingTermOffboarding.cleanup()
canOffboard[term] = false;

// LendingTermOffboarding.offboard()
require(canOffboard[term], "LendingTermOffboarding: quorum not met");

Unfortunately, it's reasonably possible that a term gets re-onboarded without first being cleaned up because:

1. cleanup can only be executed after all existing loans are called and auctioned
2. More importantly, onboarding doesn't validate that the term has been cleaned up

As a result, an unclean term could reasonably end up getting re-onboarded, in which case anyone could immediately offboard it at any time, causing loss to term participants.

Tools Used

• Manual review

Recommended Mitigation Steps

LendingTermOnboarding should validate that the proposed term returns false from canOffboard[term].

Assessed type

Invalid Validation

[c4-pre-sort]

0xSorryNotSorry marked the issue as sufficient quality report

[c4-pre-sort]

0xSorryNotSorry marked the issue as duplicate of #1147

[c4-judge]

Trumpero marked the issue as duplicate of #1141

[c4-judge]

Trumpero marked the issue as satisfactory