thekmj - Rollable loans can be indefinitely rolled, opening up room for a griefing attack that will permanently lock funds.

[github-actions]

thekmj

high

Rollable loans can be indefinitely rolled, opening up room for a griefing attack that will permanently lock funds.

Summary

If a loan is rollable, and if a malicious borrower has enough collateral, they can perform a griefing attack that creates a lesser-known type of bad debt for the lender: A debt that is technically not defaulted, but extends indefinitely.

Vulnerability Detail

Let us first note that rolling a loan does not turn off rolling capability. It also has no access control: Anyone can call this (however at the cost of their own funds).

https://github.com/sherlock-audit/2023-01-cooler/blob/main/src/Cooler.sol#L129-L147

Therefore, assuming an attacker has enough collateral, they can roll a cleared loan to an effectively infinite timestamp. The consequence is that, if the borrower defaults, the collateral is effectively locked within the contract, as the contract logic will not recognize a default for effectively an eternity, since the lender cannot resolve the defaulted loan.

Since loans are rollable by default, there is no way to prevent someone from clearing a loan as soon as it appears, and spam the griefing attack.

It is worth noting that, under special ERC20 tokens that don't revert on failed transfer, the attack can be done for free.

Impact

It is possible to lock collateral tokens indefinitely using rollable loans mechanism, as long as the collateral condition can be cleared (which has been shown to be possible).

Code Snippet

https://github.com/sherlock-audit/2023-01-cooler/blob/main/src/Cooler.sol#L129-L147

Tool used

Manual Review

Recommendation

Make rolling false by default, and turn off rolling capability after each successful roll.

Additionally, we recommend adding a sanity check to the loan duration, to prevent accidental lengthy loans.

Duplicate of #215