yixxas - Terms for expiry date for loans can be bypassed

[github-actions]

yixxas

high

Terms for expiry date for loans can be bypassed

Summary

Lenders and borrowers come to an agreement via the contract based on the terms provided in a Request. The decided expiry date can unilaterally be extended by the borrower without any input from the lender.

Vulnerability Detail

The key issue here is that the default state of rollable is set to true when a lender clears a loan. A loan that has been newly cleared can always be rolled. The borrower can always frontrun the toggleRoll() transaction and extend the expiry date of the loan regardless of whether lender agrees to it. In fact, borrower can make multiple transactions of roll() before toggleRoll() is called to extend the expiry date multiple times.

Impact

Impact is severe here because lender essentially does not have a choice for the expriy date of a loan. The agreed upon expiry date can be extended even if they do not want to allow it. Borrower can choose to extend the expiry date to its own preference.

For example, Borrower and Lender agrees on a loan of 1 years. Right after Lender clears the loan, Borrower calls toggleRoll() 10 times, put in the required collateral to cover the interest and extend it by 10 years. Lender is now forced to give a loan of 10 years even though they toggleRoll().

Code Snippet

https://github.com/sherlock-audit/2023-01-cooler/blob/main/src/Cooler.sol#L139
https://github.com/sherlock-audit/2023-01-cooler/blob/main/src/Cooler.sol#L177

Tool used

Manual Review

Recommendation

It is recommended that we set the default state of whether a loan is rollable to false when a loan is cleared by Lender.

Duplicate of #265

[yixxas]

Escalate for 1 USDC

The key issue here is that the default state of rollable is set to true when a lender clears a loan. A loan that has been newly cleared can always be rolled.

This is a clear duplicate of #265 , where a "Loan is rollable by default".

[sherlock-admin]

Escalate for 1 USDC

The key issue here is that the default state of rollable is set to true when a lender clears a loan. A loan that has been newly cleared can always be rolled.

This is a clear duplicate of #265 , where a "Loan is rollable by default".

You've created a valid escalation for 1 USDC!

To remove the escalation from consideration: Delete your comment.
To change the amount you've staked on this escalation: Edit your comment (do not create a new comment).

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

[hrishibhat]

Escalation accepted

Valid duplicate of #265

[sherlock-admin]

Escalation accepted

Valid duplicate of #265

This issue's escalations have been accepted!

Contestants' payouts and scores will be updated according to the changes made on this issue.