Open code423n4 opened 2 years ago
An extension can only be granted once for a particular loan, so this attack cannot be replayed, and there are no assets at risk. We would suggest a (1) Low-Risk factor for this issue
Downgrading to low risk based on the fact that the lenders would have to willingly lend out their tokens in order for this to happen so they in fact control the attack vector.
1 — Low: Low: Assets are not at risk. State handling, function incorrect as to spec, issues with comments.
Handle
cmichel
Vulnerability details
The
Extension
contract uses the current balance (IPool.getBalanceDetails(msg.sender)
) as the voting power. If this passes the threshold the extension is granted, doesn't matter thatremoveVotes
removes the votes when transferring the tokens away from the voter.If there's a secondary market for the pool tokens that allows flashloans, this means a lender (for example, the borrower could have approved itself before) can flashloan this amount, extend their repayment duration, and pay back the flashloan.
Recommended Mitigation Steps
Use a snapshot-based voting system like the
Comp
token does, or ungrant the extension inremoveVotes
if it doesn't reach the threshold anymore.