Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

cducrest-brainbot - Roll multiple times on a loan to lock it for a long time #323

Closed
github-actions bot opened this issue Jan 27, 2023 · 0 comments
Closed

cducrest-brainbot - Roll multiple times on a loan to lock it for a long time #323

github-actions bot opened this issue Jan 27, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue

Comments

@github-actions
Copy link

github-actions bot commented Jan 27, 2023
edited
Loading

cducrest-brainbot

medium

Roll multiple times on a loan to lock it for a long time

Summary

Directly after a loan is cleared, anyone can call roll(loanID) on the Cooler any number of times they want. This will bump the loan expiry time a corresponding number of times multiplied by request.duration at the cost of collateral for the caller. The idea is to lock the loan in order for the lender to never be able to call defaulted(loanID) on it.

Vulnerability Detail

With the example values provided in ClearingHouse.sol of minimumInterest = 2% and maxDuration = 1 year, it would cost about 21.9% of the collateral to lock the loan for 10 additional years or 48.6% of the collateral to lock the loan for 20 additional years with only 10 or 20 calls to roll(loanID) (due to compound interests).

Since any address can repay a loan, the attacker can lock a loan for 20 or more years and create a ransom contract that will repay the loan only if a ransom is paid out. The attacker would ask for the lender to repay initial debt + interests of the locked duration + collateral cost of the attack + ransom in order to repay the loan and receive ransom positive value from the attack. The lender would get all the initial debt + interests of the locked duration back, and the Cooler owner would receive collateral cost of the attack.

If the attacker is the borrower, they can ask for initial debt + interests of the locked duration + ransom since they will receive collateral cost of the attack back in the end.

Impact

If attackers have access to sufficient collateral, they can borrow all the tokens available in the ClearingHouse contract, lock them for 20 or more years, and ask for a ransom. If the ClearingHouse does not have access to any more funds, this would render the ClearingHouse unusable.

If the ClearingHouse owner accept to pay the ransom, they would lose funds. If not, both the attacker and ClearingHouse owner's funds are locked for a long period of time.

Code Snippet

https://github.com/sherlock-audit/2023-01-cooler/blob/main/src/Cooler.sol#L129-L147
https://github.com/sherlock-audit/2023-01-cooler/blob/main/src/Cooler.sol#L202-L203

Tool used

Manual Review

Recommendation

Only allow for roll(loanID) to be called when the remaining time of the loan is below 25% of its duration. Or only allow roll(loanID) to bump the loan.expiry time to block.number + req.duration. Or set the default loan.rollable to false and inform users of its implication.

Duplicate of #215
@github-actions github-actions bot added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue labels Jan 27, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Feb 6, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin