search

code-423n4 / 2023-12-ethereumcreditguild-findings

9 stars 5 forks source link

Borrowers can lose their collateral if a proposal for offboarding is approved in a short time #1200

Closed c4-bot-7 closed 5 months ago

c4-bot-7 commented 6 months ago

Lines of code

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/governance/LendingTermOffboarding.sol#L159

Vulnerability details

Impact

For the liquidation of a borrower's position, either the lending term should be deprecated or a minimum partial repayment time should have passed. If the lending term is active and a proposal for offboarding the term is created, is it possible the proposal to be approved in a short time, leading to the deprecation of the lending term. This could lead to the borrowers losing their collaterals since anyone can liquidate their position.

Anyone can create a proposal for offboarding a lending term by simply calling the proposeOffboard function in the LendingTermOffboarding contract. The reason for this may be a misconfiguration or the lending term having bad debt. Additionally, anyone holding the GUILD token can vote through calling the supportOffboard function. The maximum time for approving a proposal is approximately 7 days (46523 blocks). To approve a proposal, a quorum must be reached.

It is possible for a quorum to be reached in a short time, around 1-2 hours, leading to the offboarding of the lending term, resulting in its deprecation and new loans can not be created. This opens up potential problems for active borrowers of this lending term because their loans can be called and sent to auction. The active borrowers may not be able to react in such a short time and they will lose their collateral.

Tools Used

Mannual Review

Recommended Mitigation Steps

When a LendingTerm is offboarded, give borrowers at least 1 day to repay their loans.

Assessed type

Invalid Validation

0xSorryNotSorry commented 6 months ago

this is the intended mechanism

c4-pre-sort commented 6 months ago

0xSorryNotSorry marked the issue as insufficient quality report

Trumpero commented 5 months ago

Intended design. Users can still claim their collateral by participating in the auction. If others place bids, they will receive the redundant collateral.

c4-judge commented 5 months ago

Trumpero marked the issue as unsatisfactory: Invalid