Closed c4-bot-6 closed 4 months ago
https://github.com/code-423n4/2024-04-lavarage/blob/main/libs/smart-contracts/programs/lavarage/src/processor/swapback.rs#L183-L187
When user repays sol, then he can provide fee recipient. This is designed to be UI account that receives that fee from users who use it. But it also possible that users will do calls directly.
Let's check what receives fee recipient during repay. It receives profit share which is extra amount earned by borrower. Also it receives lender interest share, which is part of interest that were accrued.
There are 2 problems here:
Lenders do not receive full interests and borrowers can pay less.
VsCode
I believe that fee recipient should not get interest share, only profit.
Error
alcueca marked the issue as duplicate of #18
alcueca marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2024-04-lavarage/blob/main/libs/smart-contracts/programs/lavarage/src/processor/swapback.rs#L183-L187
Vulnerability details
Proof of Concept
When user repays sol, then he can provide fee recipient. This is designed to be UI account that receives that fee from users who use it. But it also possible that users will do calls directly.
Let's check what receives fee recipient during repay. It receives profit share which is extra amount earned by borrower. Also it receives lender interest share, which is part of interest that were accrued.
There are 2 problems here:
Impact
Lenders do not receive full interests and borrowers can pay less.
Tools Used
VsCode
Recommended Mitigation Steps
I believe that fee recipient should not get interest share, only profit.
Assessed type
Error