This repository has been archived by the owner on May 26, 2023. It is now read-only.
banditx0x - Permanent freezing of funds: Roll can be called infinite times without extra payment, extending the loan duration to infinity. #102
Comments
github-actions
bot
added
Duplicate
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
banditx0x
high
Permanent freezing of funds: Roll can be called infinite times without extra payment, extending the loan duration to infinity.
Summary
Permanent freezing of funds: Roll can be called infinite times without extra payment, extending the loan duration to infinity.
Vulnerability Detail
Permanent freezing of funds: Roll can be called infinite times, extending the loan duration to infinity.
https://github.com/sherlock-audit/2023-01-cooler/blob/main/src/Cooler.sol#L129
Borrowers have a large incentive exploit lenders this way. They can repay the loan only when it is profitable to do so. After doing this, the loaner cannot unlock his funds.
Note that the borrower does not have to transfer extra interest payments for the duration for the loan. The payment is calculated via:
https://github.com/sherlock-audit/2023-01-cooler/blob/main/src/Cooler.sol#L139
Note that the collateralFor() function does not include interest payments in the calculation:
https://github.com/sherlock-audit/2023-01-cooler/blob/main/src/Cooler.sol#L236-L237
There is huge incentive to extend the loan. A borrower with an extended loan can pay back the loan only when it is profitable to do so, and the lender will never be able to send the collateral.
eg. DAI Price = $1
gOhm Price = $10
Borrower is using 12 DAI as collateral to borrow 1gOhm. They extend the loan far into the future using roll()
If price of gOhm goes up to $15, the borrower has no incentive repay the loan. However if the price of Ohm goes down to $5, they can swap the borrowed gOhm for the now more valuable DAI.
When the borrower returns their funds, they do need to pay the extra interest from their extended loan period. However, if they don't pay back the loan, they never have to pay the interest since they were not required to put it up for collateral.
The ability to roll can be turned off by the lender, but the initial state is rollable == true.
https://github.com/sherlock-audit/2023-01-cooler/blob/main/src/Cooler.sol#L83
Thus the borrower can begin extend the loan before the lender triggers toggleRole() function. This contradicts the initial purpose of the roll.
Impact
Borrowers can extend loans indefinitely without paying interest, and are incentivized to do so. Lenders become exploited and end up lending for periods far longer than they had initially signed up for.
Code Snippet
https://github.com/sherlock-audit/2023-01-cooler/blob/main/src/Cooler.sol#L129
Tool used
Manual Review
Recommendation
Make rollable == false after one the roll() function is called once. The lender needs to call toggleRoll() to enable the Roll again.
Duplicate of #215
The text was updated successfully, but these errors were encountered: