Invalid maxTranches check can result in maxTranche cap to be exceeded

[c4-bot-2]

Lines of code

https://github.com/code-423n4/2024-04-gondi/blob/b9863d73c08fcdd2337dc80a8b5e0917e18b036c/src/lib/loans/MultiSourceLoan.sol#L359-L360

Vulnerability details

Impact

Invalid maxTranches check can result in maxTranche cap to be exceeded

Proof of Concept

In src/lib/loans/MultiSourceLoan.sol, there's max cap for the number of tranches in a loan as defined as getMaxTranches. This cap can be exceeded.

There are two main vulnerabilities: (1) getMaxTranches is not checked in some key flows where tranches can be added. These including emitLoan(), refinancePartial()(->_addTrancheFromPartial()), refinanceFromLoanExecutionData().

(2) Where getMaxTranches is checked, the check is invalid. Only _loan.tranche.length == getMaxTranches is checked. But combined with (1), when number of tranches exceeds getMaxTranches in other flows, this check is invalid.

//src/lib/loans/MultiSourceLoan.sol
    function addNewTranche(
        RenegotiationOffer calldata _renegotiationOffer,
        Loan memory _loan,
        bytes calldata _renegotiationOfferSignature
    ) external nonReentrant returns (uint256, Loan memory) {
...
          //@audit change to _loan.tranch.length >= getMaxTranches
|>        if (_loan.tranche.length == getMaxTranches) {
            revert TooManyTranchesError();
        }

...

(https://github.com/code-423n4/2024-04-gondi/blob/b9863d73c08fcdd2337dc80a8b5e0917e18b036c/src/lib/loans/MultiSourceLoan.sol#L359)

Tools Used

Manual

Recommended Mitigation Steps

Add missing checks on getMaxTranches for all flows that might add tranches. And in addNewTranche, change into _loan.tranch.length >= getMaxTranches.

Assessed type

Other

[c4-judge]

0xA5DF marked the issue as primary issue

[c4-judge]

0xA5DF marked the issue as selected for report

[c4-judge]

0xA5DF marked the issue as satisfactory

[0xend]

https://github.com/pixeldaogg/florida-contracts/pull/358