search

Lodestar-Finance / lodestar-protocol

Houses the code for the Lodestar Finance DeFi protocol.
BSD 3-Clause "New" or "Revised" License
10 stars 7 forks source link

borrowBehalf() is used to borrow funds on behalf of other user #17

Closed rajatbeladiya closed 1 year ago

rajatbeladiya commented 1 year ago

Affected Contracts

CErc20.sol CToken.sol

Severity

Medium

Description

https://github.com/LodestarFinance/lodestar-protocol/blob/cfca1ae275d023a02198798bbcb24b2a1f646776/contracts/CErc20.sol#L106-L109

borrowBehalf() and redeemBehalf() are introduced to redeem and borrow on behalf of other users. but borrowBehalf() is unintended behaviour for users that protocol’s whitelisted users have the privilege to borrow on their behalf of them without their permission. It can impact the integrity of the protocol. the actual behaviour is access should be given by the user for their borrow.

Recommendation

change implementation of borrowBehalf() so that users can whitelist addresses to borrow on behalf of them

0xAppo commented 1 year ago

This issue is fixed in commit hash: 5c4bce2508b1df2b27c1b9e1299b4b4f1bd5218b.