Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

Latest commit

 

History

History
58 lines (44 loc) · 1.64 KB

040.md

File metadata and controls

58 lines (44 loc) · 1.64 KB

csanuragjain

medium

Bypass ClearingHouse contract

Summary

The clearing house contract enforces collateral and debt to be gOhm and Dai token only. But this can be bypassed by directly calling clear function on Cooler contract

Vulnerability Detail

  1. Observe the clear function on ClearingHouse contract
function clear (Cooler cooler, uint256 id) external returns (uint256) {
        if (msg.sender != operator) 
            revert OnlyApproved();

        // Validate escrow
        if (!factory.created(address(cooler))) 
            revert OnlyFromFactory();
        if (cooler.collateral() != gOHM || cooler.debt() != dai)
            revert BadEscrow();

        (
            uint256 amount, 
            uint256 interest, 
            uint256 ltc, 
            uint256 duration,
        ) = cooler.requests(id);

        // Validate terms
        if (interest < minimumInterest) 
            revert InterestMinimum();
        if (ltc > maxLTC) 
            revert LTCMaximum();
        if (duration > maxDuration) 
            revert DurationMaximum();

        // Clear loan
        dai.approve(address(cooler), amount);
        return cooler.clear(id);
    }
  1. All input validation is performed and then clear function on cooler is called
  2. This can be bypassed by simply calling clear function on cooler directly

Impact

Bypass all restrictions placed in ClearingHouse clear function

Code Snippet

https://github.com/sherlock-audit/2023-01-cooler/blob/main/src/aux/ClearingHouse.sol#L58

Tool used

Manual Review

Recommendation

The clear function on Cooler should be restricted to be only callable by ClearingHouse contract