search

code-423n4 / 2022-04-backed-findings

1 stars 1 forks source link

Malicious owner can steal some funds from borrower #111

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-04-backed/blob/main/contracts/NFTLoanFacilitator.sol#L306-L312

Vulnerability details

Impact

Owner can make changes to the protocol with immediate effect. Malicious owner can watch for big lend in the mempool and front run it by maxing out originationFeeRate to 5%. The users, both lender and borrower, will still think that originationFeeRate is the same as when they created and accepted the loan respectively, and the loan will go through. In this scenario the borrower will receive less funds than they were expecting but still be expected to pay the full loan amount with a maximum difference of 5%. The owner can reset originationFeeRate to the original value afterwards, and continue to do this until they are caught.

Proof of Concept

Owner can set the fee to 0%. A user using a golden BAYC nft can ask for $1m loan, thinking the origination fee is 0%. The owner can take 5% from this user, netting a $50000 profit. The owner can then change the rate back, incentivizing others to lend. This can be repeated for as long as users keep using the contract.

Tools Used

Manual analysis

Recommended Mitigation Steps

Set a multisig as the owner and use a timelock.

wilsoncusack commented 2 years ago

The only true mitigation here would be to store originationFeeRate in the Loan struct at the time of origination to guarantee a borrower gets the fee rate that was present when they created the loan. But we do not plan to make this change

wilsoncusack commented 2 years ago

28