usmannk - Loans may be rolled over to infinity

[github-actions]

usmannk

high

Loans may be rolled over to infinity

Summary

Loans may be rolled over an unlimited number of times, very quickly approaching effectively infinite loan lengths.

Vulnerability Detail

The roll function in Cooler.sol adds the req.duration amount to the loan.expiry amount. For example, rolling over a 1 week loan extends it by 1 week. Rolling the loan again, even in the same transaction, immediately extends it by another week. In this manner a debtor may very quickly roll over a loan into infinity, allowing it to effectively never default.

https://github.com/sherlock-audit/2023-01-cooler/blob/main/src/Cooler.sol#L129-L147

This is further exacerbated by the fact that loans are rollable by default, so any loan may potentially fall victim to this attack.

Impact

A debtor can attack a lender by taking the lent tokens for an arbitrary amount of time, forcing the loan to never go into default.

Code Snippet

Cooler victimCooler = address(/* victim address */);
for(int i = 0; i < 1000; i++) {
  victimCooler.roll(0) // roll over the loan with id 0
}

Tool used

Manual Review

Recommendation

Replace loan.expiry += req.duration; with loan.expiry = block.timestamp + req.duration;, making it so rolling a loan changes the loan expiry relative to the current block time, instead of the currently set expiry. This way a loan may only ever be up to req.duration in the future, rather than infinitely in the future.

Duplicate of #215