Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

HollaDieWaldfee - Cooler: roll function should set loan.rollable to false when called #45

Closed
github-actions bot opened this issue Jan 27, 2023 · 0 comments
Closed

HollaDieWaldfee - Cooler: roll function should set loan.rollable to false when called #45

github-actions bot opened this issue Jan 27, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue

Comments

@github-actions
Copy link

github-actions bot commented Jan 27, 2023
edited
Loading

HollaDieWaldfee

medium

Cooler: roll function should set loan.rollable to false when called

Summary

The Cooler.roll function allows the borrower of a loan to extend the loan for another duration.
By doing this the debt is increased and the borrower must provide additional collateral.

The issue with this is that the borrower can extend the loan for as many durations as he wants.
The rollable attribute is not set to false when the function is called.

Vulnerability Detail

The lender might grant the borrower a loan with a 3% interest rate which can be a reasonable interest rate for a loan with a duration of one year.
However the borrower can roll the loan for as many durations as he wants.

This is a problem since the economic incentives are such that longer loan durations should require the borrower to pay higher interest rates. This is because the lender loses access to his money for a longer period of time and the longer the duration the higher the risk of default.

The borrower should not have to pay only 3% interest per year for a loan with duration of say 10 years. The interest rate should be a lot higher.

Impact

So the borrower can extend a loan which is meant for a short duration for as long as he wants with the low interest rates that are only sensible for the shorter duration.

Code Snippet

https://github.com/sherlock-audit/2023-01-cooler/blob/main/src/Cooler.sol#L129-L147

Tool used

Manual Review

Recommendation

The Cooler.roll function should set rollable to false such that the borrower can only extend the loan for one additional period. If he wants to extend the loan for longer, the lender must consent to this again.

Fix:

diff --git a/src/Cooler.sol b/src/Cooler.sol
index 92158d3..2e97f43 100644
--- a/src/Cooler.sol
+++ b/src/Cooler.sol
@@ -142,6 +142,7 @@ contract Cooler {
         loan.amount += newDebt;
         loan.expiry += req.duration;
         loan.collateral += newCollateral;
+        loan.rollable = false;
         
         collateral.transferFrom(msg.sender, address(this), newCollateral);
     }

Duplicate of #215
@github-actions github-actions bot added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue labels Jan 27, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Feb 6, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin