Well collateralized loans can be locked forever #9
Comments
c4-bot-2
added
2 (Med Risk)
|
alcueca marked the issue as duplicate of #10 |
|
alcueca marked the issue as satisfactory |
c4-judge
added
the
satisfactory
|
alcueca changed the severity to 3 (High Risk) |
c4-judge
added
3 (High Risk)
|
Not a dup. What I'm saying here is that loans have no time limits. Even if #10 is fixed, this won't be fixed for loans with a low interest. Funds can be locked for years, and lenders have no way to extract the collateral. Loans with zero interest can be locked forever. Please re-check. |
|
I agree, this issue is not a dup of #10. However, given that there is no incentive for users to not close their borrow positions for long periods of time, since their loans will always be over-collateralized and they will be accruing more interest fees the more they keep their borrowed SOL, and also that them loosing access to their private key is a very unlikely scenario, I believe that the severity of this issue is borderline Medium/Low. |
|
The design includes borrowing rates, which is the usual mechanism to ensure that loans are repaid. Refactoring the protocol to include fixed terms seems out of scope to me. I'm accepting this issue as a duplicate of #10 as it rightly points out the issue that loans can stay open forever, even if the remediation suggested is not optimal. |
c4-judge
added
2 (Med Risk)
|
alcueca changed the severity to 2 (Med Risk) |
c4-judge
added
3 (High Risk)
|
alcueca changed the severity to 3 (High Risk) |
c4-judge
added
2 (Med Risk)
|
alcueca changed the severity to 2 (Med Risk) |
|
Based on the Appellate Court Decision here, this issue has been upgraded to High severity. |
thebrittfactor
added
3 (High Risk)
Lines of code
https://github.com/code-423n4/2024-04-lavarage/blob/9e8295b542fb71b2ba9b4693e25619585266d19e/libs/smart-contracts/programs/lavarage/src/processor/swap.rs#L12
Vulnerability details
Impact
Borrowed funds might never be returned, and collateral can be stuck inside the position, potentially forever.
This happens when the borrower doesn't repay the loan and if it remains collateralized to the extent that it can never be liquidated, as there aren't any time limits for the loan.
Proof of Concept
Borrowers can borrow well collaterilazed loans that can't be liquidated anytime soon as they have an infinite duration. Lenders cannot extract the collateral (supposing a healthy LTV), no matter how much time passes.
Borrowers might have no incentive to do so, but this scenario can easily happen anyway: for example, borrowers might lose access to their wallets or they might even die.
If this happens, funds are stuck inside the position until the LTV is high enough to liquidate the position (potentially never).
Tools Used
Manual review
Recommended Mitigation Steps
Consider implementing a maximum duration for the loan: if this time passes and the borrower doesn't repay it, the lender should be able to liquidate it.
Assessed type
Timing
The text was updated successfully, but these errors were encountered: