Open c4-bot-4 opened 4 months ago
piske-alex (sponsor) confirmed
alcueca marked the issue as satisfactory
alcueca marked the issue as selected for report
Even given that this will be an exceedingly rare event, there will be losses to innocent users if the account of a trading pool becomes frozen. Given that this is an avoidable issue, the severity stays as medium.
Lines of code
https://github.com/code-423n4/2024-04-lavarage/blob/main/libs/smart-contracts/programs/lavarage/src/processor/lending.rs#L9-L20
Vulnerability details
Impact
SPL tokens are used as collateral in the protocol. On borrow, there is a transfer from the borrower into a PDA (position account). On repay, the other way around.
However, SPL token could have a freeze authority. Therefore, any account is vulnerable to be frozen. This could be harmful for both borrowers and lenders. I beleive, The protocol should be resilient enough to not fall into such situations where the funds are locked and borrowing or repaying are DoSed.
Proof of Concept
There is no check for freeze authority of the mint (i.e. token).
More info on freeze authority feature:
SPL Token#freezing-accounts
Tools Used
Manual analysis
Recommended Mitigation Steps
Ensure the collateral token does not have an active freeze_authority. If the freeze_authority was set to None, then freezing feature can never work again.
Assessed type
Access Control