lucas-manuel
commented
3 years ago Definitely not a high severity bug, but will address this.
Open code423n4 opened 3 years ago
lucas-manuel
commented
3 years ago Definitely not a high severity bug, but will address this.
Handle
paulius.eth
Vulnerability details
Vulnerability details
Every loan has its own fundingPeriod which is set once in the constructor: fundingPeriod = globals.fundingPeriod(); fundingPeriod in globals can change. It does not effect already deployed Loans. However, in Loan contract function unwind() calls LoanLib.unwind which checks against globals.fundingPeriod(): IGlobals globals = _globals(superFactory); // Only callable if time has passed drawdown grace period, set in MapleGlobals require(block.timestamp > createdAt.add(globals.fundingPeriod()), "Loan:FUNDING_PERIOD_NOT_FINISHED"); at this time, globals.fundingPeriod() could be different than this specific Loan's fundingPeriod.
Recommended Mitigation Steps
Check expiration against local fundingPeriod.