Borrower can use own address as fee recipient to pay less interest to lender

[c4-bot-6]

Lines of code

https://github.com/code-423n4/2024-04-lavarage/blob/main/libs/smart-contracts/programs/lavarage/src/processor/swapback.rs#L183-L187

Vulnerability details

Proof of Concept

When user repays sol, then he can provide fee recipient. This is designed to be UI account that receives that fee from users who use it. But it also possible that users will do calls directly.

Let's check what receives fee recipient during repay. It receives profit share which is extra amount earned by borrower. Also it receives lender interest share, which is part of interest that were accrued.

There are 2 problems here:

• Lenders receive smaller interest rate than they provided in the pool
• Borrowers that don't use UI can have smaller interest rate by providing own address as fee recipient.

Impact

Lenders do not receive full interests and borrowers can pay less.

Tools Used

VsCode

Recommended Mitigation Steps

I believe that fee recipient should not get interest share, only profit.

Assessed type

Error

[c4-judge]

alcueca marked the issue as duplicate of #18

[c4-judge]

alcueca marked the issue as satisfactory