search

code-423n4 / 2022-04-abranft-findings

0 stars 0 forks source link

Lender can immediately liquidate valued Collateral in NFTPairWithOracle contract #174

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-04-abranft/blob/5cd4edc3298c05748e952f8a8c93e42f930a78c2/contracts/NFTPairWithOracle.sol#L205-L210 https://github.com/code-423n4/2022-04-abranft/blob/5cd4edc3298c05748e952f8a8c93e42f930a78c2/contracts/NFTPairWithOracle.sol#L288

Vulnerability details

Impact

A lender can liquidate a borrower's collateral immediately by calling updateLoanParams() in the NFTPairWithOracle contract where the ltvBPS for the params struct is set to 0. This bypasses the checks to make sure that the terms are favourable to the borrower.

This allows the lender to then call removeCollateral and steal the collateral from the borrower as the "max" loan has now been to set to 0.

This means that a borrower can almost instantly lose their collateral when borrowing assets and therefore nullifying the primary service of the contract.

Proof of Concept

A POC script can be found here

Recommended Mitigation Steps

Change params.ltvBPS <= cur.ltvBPS to params.ltvBPS >= cur.ltvBPS in here

cryptolyndon commented 2 years ago

Duplicate of #51

cryptolyndon commented 2 years ago

l