Unknown Repayment amount

[le-kag]

Title Unknown Repayment Amount

Severity Medium

Affected smart contract ProviderCompound.sol

The vulnerability can be attributed to the following line of code:

Line 50:ICeth(cTokenAddr).repayBorrow{ value: msg.value }(); Line 73: erc20token.uniApprove(address(cTokenAddr), _amount); cToken.repayBorrow(_amount);

cToken.repayBorrow(_amount);

Description When a borrower repays an ERC20 loan, they can call the repayBorrow function with a specified amount to repay. However, interest accrues in every block, which means that if the borrower specifies the value of the loan at a particular block, their loan will be slightly higher in a future block when the transaction is confirmed. This could lead to the borrower leaving part of the loan unpaid.

Attack scenario An attacker could exploit this vulnerability by specifying a loan repayment amount at a particular block, and then sending the transaction. However, when the transaction is confirmed, the loan balance would have increased due to interest accrual, resulting in the borrower leaving part of the loan unpaid. This could potentially result in financial losses for the lender.

Recommendation To prevent this vulnerability, borrowers should treat the specified repayment amount as an upper bound, where the transaction repays the minimum of that value and the size of the loan. This would ensure that the borrower does not leave any part of the loan unpaid. Additionally, lenders should implement safeguards to prevent borrowers from front-running the transaction and borrowing additional funds to be repaid in the same transaction.

[0xdcota]

At the time of competition the library to estimate latest state of compound was already implemented. Refer to LibCompoundV2.

This library is inspired by T11 from Paradigm here.

This issue is not applicable/