Arachnid
commented
3 years ago Another way to look at this is that the borrower gets gracePeriod extra days of borrowing for free - just by deferring their final payment. Agree with Medium.
Open code423n4 opened 3 years ago
Arachnid
commented
3 years ago Another way to look at this is that the borrower gets gracePeriod extra days of borrowing for free - just by deferring their final payment. Agree with Medium.
lucas-manuel
commented
3 years ago If they deferred their final payment and did makeFullPayment instead of makePayment they would pay premiumFee on their principal, which is set to be a larger amount than a given payment plus late fee, so they would be losing money in this case.
Arachnid
commented
3 years ago Based on my understanding of the code:
Relevant configurable parameters are the payment interval (payment_interval), grace period before foreclosure (grace_period), interest payment size (interest_payment), late payment fee as a percentage of interest payment size (late_fee), and premium fee (premium_fee).
If payment_interval * 2 < grace_period, it's possible to be late multiple payments - in which case you pay multiple late fees.
Without charging late payment fees on a full repayment, there are two scenarios in which the borrower can end up better off:
(payment_interval / grace_period) * late_fee > premium_fee, once the borrower is late some number of payment_intervals, they pay less by doing a full repayment with the premium fee than by paying off the normal way.(payment_interval / grace_period) * interest_payment > premium_fee, they can treat the grace period as an extra loan period, and pay no more than they would have in interest (possibly less, depending on the parameters).Since both of these are only possible with certain parameter values, I'm downgrading this to Low. This could be remedied by either putting range checks for these parameter values in loan initialisation, or by calculating 'missed interest' and late fees in makeFullPayment and taking the minimum of that and the premium fee.
lucas-manuel
commented
3 years ago We're going to leave as is and just ensure that Pool Delegates are educated around Loan terms and what they entail before funding them.
lucas-manuel
commented
3 years ago @Arachnid we have addressed this issue
Handle
shw
Vulnerability details
Impact
Since the calculation of
makeFullPayment(Loan.sol#249) does not consider whether the payment is late or not, the borrower can avoid paying late fees by only callingmakeFullPaymentinstead ofmakePayment(Loan.sol#238). The borrower has no incentive to repay the loan in time and couldProof of Concept
The full payment is calculated by
PremiumCalc, which ignores whether the payment is late or not. A configured premium fee calculates the interest; however, it is a fixed value through time. The interest that a borrower should pay for borrowing the loan for any amount of time (e.g., a month or a year) is the same.Tools Used
None
Recommended Mitigation Steps
Calculate late fees in
PremiumCalcas inRepaymentCalcto let the borrower pay late fees based on theaprof loan.