simon135 - Since when a loan is cleared rollable=true an attacker can do many diffrent thinks with that like rolling over loan with frontrunning and getting more debt with out paying collateral

[github-actions]

simon135

high

Since when a loan is cleared rollable=true an attacker can do many diffrent thinks with that like rolling over loan with frontrunning and getting more debt with out paying collateral

Summary

Since when clearing a loan, rollable by default=true.By doing that, when clearing a loan, a user/borrower/attacker can come and do many options like roll off a loan for free/ bypass the clearinghouse duration for the loan.

Vulnerability Detail

case 1:
lender and borrower match a loan and right after the clear tx The borrower rolls over the loan with back running and gets more debt without spending collateral
it results: huge debt on the loan for free(on Hugh loan this is big loss)
ex:

1. lender calls clear
2. borrower front-runs the lender's call to toggle the roll off with the higher gas fee and gets more debt without paying collateral because nothing has happened with the loan yet. They can loop in the roll function with high gas fees getting unlimited debt for free.
   case 2:
   the same thing as above but instead of the borrower it's a random user and since when newcollateral=0 the user can inflict debt on the borrower and cause a huge debt ceiling.
   case 3:
   the borrower clears the loan in the auction house and they have a limit of 365 days but since we can roll over with the lender approving it we can bypass the limit on the duration of the loan.

Code Snippet

on default loan is rollable

   loans.push(
            Loan(
                req,
                req.amount + interest,
                collat,
                expiration,
                true,
                msg.sender
            )
        );

when newCollateral=0 which is true for the examples above because the collateral and new collateral are calculated the same way and one of the only ways to make newCollateral>0 we would have to repay some of the loans but we are not doing that and we are just getting the newcollateral - collateral and since they updated every time it should be zero.
ex:
colateral=100
newcollateral= 100=0
and since we increment by 5 every time the
collateral=105
and newcollateral=105=0

        uint256 newCollateral = collateralFor(
            loan.amount,
            req.loanToCollateral
        ) - loan.collateral;
       
        uint256 newDebt = interestFor(loan.amount, req.interest, req.duration);
        loan.amount += newDebt;
        loan.expiry += req.duration;
        loan.collateral += newCollateral;
        collateral.transferFrom(msg.sender, address(this), newCollateral);

Tool used

Manual Review

Recommendation

I put them in the same issue because the underlying issue is the same on default rollable=true
some suggestions for some of the mitigation if rollable !=false on the clearing of the loan

1. roll makes onlyowner so nobody can have changed to make more debt for the owner
   The overall fix
   make rollable=false on the clearing of a loan

   loans.push(
            Loan(
                req,
                req.amount + interest,
                collat,
                expiration,
                false,
                msg.sender
            )
        );

Duplicate of #215