Open code423n4 opened 2 years ago
Oracle not compared to lender agreed value: confirmed, and I think this is the first time I've seen this particular vulnerability pointed out. Not marking the entire issue as a duplicate for that reason.
Oracle not checked on loan request: Not an issue, first reported in #62.
Lines of code
https://github.com/code-423n4/2022-04-abranft/blob/5cd4edc3298c05748e952f8a8c93e42f930a78c2/contracts/NFTPairWithOracle.sol#L312-L318
Vulnerability details
Issue: Arbitrary oracles are permitted on construction of loans, and there is no check that the lender agrees to the used oracle.
Consequences: A borrower who requests a loan with a malicious oracle can avoid legitimate liquidation.
Proof of Concept
oracle.get
call.removeCollateral
to liquidate the NFT when it should be allowed, as it will fail the check on L288removeCollateral
.Mitigations
require(params.oracle == accepted.oracle)
as a condition in_lend