emitLoan() lack of checks <=getMaxTranches

[c4-bot-10]

Lines of code

https://github.com/code-423n4/2024-04-gondi/blob/b9863d73c08fcdd2337dc80a8b5e0917e18b036c/src/lib/loans/MultiSourceLoan.sol#L124-L128

Vulnerability details

Vulnerability details

Currently emitLoan() doesn't limit _loan.tranche.length <= getMaxTranches

And in addNewTranche() it's determining that _loan.tranche.length == getMaxTranches will revert TooManyTranchesError().

    function addNewTranche(
        RenegotiationOffer calldata _renegotiationOffer,
        Loan memory _loan,
        bytes calldata _renegotiationOfferSignature
    ) external nonReentrant returns (uint256, Loan memory) {
...
        if (_loan.tranche.length == getMaxTranches) {
            revert TooManyTranchesError();
        }

This way, as long as emitLoan() is executed with tranche.length == getMaxTranches + 1

and then addNewTranche() to skip the limit and add unlimited tranches.

Impact

Adding too many tranches causes GAS_OUT, which can lead to failure of liquidation， and so on.

Recommended Mitigation

    function _processOffersFromExecutionData(
        address _borrower,
        address _principalReceiver,
        address _principalAddress,
        address _nftCollateralAddress,
        uint256 _tokenId,
        uint256 _duration,
        OfferExecution[] calldata _offerExecution
    ) private returns (uint256, uint256[] memory, Loan memory, uint256) {
...

+       if (tranche.length > getMaxTranches) {
+           revert TooManyTranchesError();
+       }

        Loan memory loan = Loan(
            _borrower,
            _tokenId,
            _nftCollateralAddress,
            _principalAddress,
            totalAmount,
            block.timestamp,
            _duration,
            tranche,
            protocolFee.fraction
        );

        return (loanId, offerIds, loan, totalFee);
    }

Assessed type

Context

[c4-judge]

0xA5DF marked the issue as duplicate of #80

[c4-judge]

0xA5DF marked the issue as satisfactory