Skip to content

Latest commit

 

History

History
97 lines (62 loc) · 2.76 KB

022.md

File metadata and controls

97 lines (62 loc) · 2.76 KB
Raw

Handsome Pineapple Mustang

Medium

wrong implement of "deleteBorrowOrder"

Summary

in the deleteBorrowOrder lets say that our activeOrdersCount is 1 and we want to delete it so, our index is 0 as borrowOrderIndex[_borrowOrder] is 0 as its first borrower.

allActiveBorrowOrders[0] = address(0);

borrowOrderIndex[address(0)] = 0;

so after removal and lets suppose we createBorrowOrder a new borrower and activeOrdersCount becomes 1. now we call again the deleteBorrowOrder with the original _borrowOrder,

but due to activeOrdersCount is one then allActiveBorrowOrders[activeOrdersCount - 1] = address(0);

this will cause a new "borrower" allActiveBorrowOrders[activeOrdersCount - 1] to zero address. this will cause a wrong implement of getActiveBorrowOrders.

function deleteBorrowOrder(address _borrowOrder) external onlyBorrowOrder { // get index of the borrow order uint index = borrowOrderIndex[_borrowOrder]; borrowOrderIndex[_borrowOrder] = 0;

    // get last borrow order
    allActiveBorrowOrders[index] = allActiveBorrowOrders[
        activeOrdersCount - 1
    ];
    // take out last borrow order
    allActiveBorrowOrders[activeOrdersCount - 1] = address(0);

    // switch index of the last borrow order to the deleted borrow order
    borrowOrderIndex[allActiveBorrowOrders[index]] = index;
    activeOrdersCount--;
}

function getActiveBorrowOrders( uint offset, uint limit ) external view returns (DBOImplementation.BorrowInfo[] memory) { uint length = limit; if (limit > activeOrdersCount) { length = activeOrdersCount; } // chequear esto DBOImplementation.BorrowInfo[] memory result = new DBOImplementation.BorrowInfo[](length - offset); for (uint i = 0; (i + offset) < length; i++) { address order = allActiveBorrowOrders[offset + i];

        DBOImplementation.BorrowInfo memory borrowInfo = DBOImplementation(
            order
        ).getBorrowInfo();
        result[i] = borrowInfo;
    }
    return result;
}

Root Cause

https://github.com/sherlock-audit/2024-11-debita-finance-v3/blob/main/Debita-V3-Contracts/contracts/DebitaBorrowOffer-Factory.sol#L162

wrong implement of deleteBorrowOrder.as we can delete the new borrower as there is no check for the old borrower.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

the new borrower can be deleted with the old _borrowOrder.this will cause a new borrower to be deleted.

PoC

No response

Mitigation

creating a mapping that we cannot call deleteBorrowOrder with the same _borrowOrder again and again to delete.