lucas-manuel
commented
3 years ago This is a known issue, but since it will cost about $1k in gas for each loan, we are not addressing it
Open code423n4 opened 3 years ago
lucas-manuel
commented
3 years ago This is a known issue, but since it will cost about $1k in gas for each loan, we are not addressing it
Handle
0xRajeev
Vulnerability details
Impact
Loans are meant to be created only by borrowers who are institutions that want to borrow capital from the Maple protocol. Per the specification (https://github.com/maple-labs/maple-core/wiki/Protocol-Actors#borrower) they do so by creating a Request for Loan that is reviewed and analysed by Pool Delegates. So borrowers are well-known actors in the Maple protocol.
However, createLoan has no access control and may be called by anyone. While Pool Delegates will not fund such arbitrary loans created by unknown entities (i.e. not known Borrowers), this may only grief the protocol and cause confusion among actors.
Proof of Concept
https://github.com/maple-labs/maple-core/blob/60a341f5cb4b5c4d85320d3ee1b2bae4322c5078/contracts/LoanFactory.sol#L73-L121
https://github.com/maple-labs/maple-core/wiki/Loan-Creation#borrower-transactions
Tools Used
Manual Analysis
Recommended Mitigation Steps
Whitelist the borrowers in the protocol and allow only whitelisted borrowers to create loans in the protocol.