Skip to content
This repository has been archived by the owner on Apr 28, 2024. It is now read-only.

kutugu - takeOverDebt does not have expiration time protection #134

Closed
sherlock-admin2 opened this issue Oct 23, 2023 · 0 comments
Closed

kutugu - takeOverDebt does not have expiration time protection #134

sherlock-admin2 opened this issue Oct 23, 2023 · 0 comments
Labels
Non-Reward This issue will not receive a payout

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Oct 23, 2023
edited by Evert0x
Loading

kutugu

medium

takeOverDebt does not have expiration time protection

Summary

takeOverDebt, borrow, and repay are all important entrances for users to interact with funds. On low-throughput networks such as Ethereum, expiration time protection should be added to prevent transactions from staying for a long time before being executed, consuming users' funds beyond expectations.
However, only borrow and repay in the contract have expiration time protection, but takeOverDebt does not.

Vulnerability Detail

    function takeOverDebt(bytes32 borrowingKey, uint256 collateralAmt) external

    function borrow(
        BorrowParams calldata params,
        uint256 deadline
    ) external nonReentrant checkDeadline(deadline)

    function repay(
        RepayParams calldata params,
        uint256 deadline
    ) external nonReentrant checkDeadline(deadline)

takeOverDebt will transfer ownership based on the current status of the loan. The user needs to transfer the required collateral and feeDebt to the contract to take over the loan.
takeOverDebt does not add expiration time protection, and the transaction may not be executed until a long time later. At this time, the funds required by the user may be far more than expected, and the loan may continue to depreciate as a non-performing asset, resulting in capital losses.

Impact

User transactions may take a long time to be executed, and the funds spent may be far more than expected. And loans, as non-performing assets, may lead to financial losses.

Code Snippet

Tool used

Manual Review

Recommendation

Add expiration time protection for takeOverDebt
@github-actions github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Oct 26, 2023
@sherlock-admin2 sherlock-admin2 changed the title Festive Daffodil Grasshopper - takeOverDebt does not have expiration time protection kutugu - takeOverDebt does not have expiration time protection Oct 30, 2023
@sherlock-admin2 sherlock-admin2 added the Reward A payout will be made for this issue label Oct 30, 2023
@HHK-ETH HHK-ETH mentioned this issue Nov 6, 2023
Open
@Evert0x Evert0x removed the Medium A valid Medium severity issue label Nov 9, 2023
@sherlock-admin sherlock-admin added Non-Reward This issue will not receive a payout and removed Reward A payout will be made for this issue labels Nov 9, 2023
@sherlock-admin2 sherlock-admin2 removed the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Nov 13, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Evert0x @sherlock-admin @sherlock-admin2