search

code-423n4 / 2024-04-lavarage-findings

2 stars 2 forks source link

Well collateralized loans can be locked forever #9

Closed c4-bot-2 closed 4 months ago

c4-bot-2 commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-04-lavarage/blob/9e8295b542fb71b2ba9b4693e25619585266d19e/libs/smart-contracts/programs/lavarage/src/processor/swap.rs#L12

Vulnerability details

Impact

Borrowed funds might never be returned, and collateral can be stuck inside the position, potentially forever.

This happens when the borrower doesn't repay the loan and if it remains collateralized to the extent that it can never be liquidated, as there aren't any time limits for the loan.

Proof of Concept

Borrowers can borrow well collaterilazed loans that can't be liquidated anytime soon as they have an infinite duration. Lenders cannot extract the collateral (supposing a healthy LTV), no matter how much time passes.

Borrowers might have no incentive to do so, but this scenario can easily happen anyway: for example, borrowers might lose access to their wallets or they might even die.

If this happens, funds are stuck inside the position until the LTV is high enough to liquidate the position (potentially never).

Tools Used

Manual review

Recommended Mitigation Steps

Consider implementing a maximum duration for the loan: if this time passes and the borrower doesn't repay it, the lender should be able to liquidate it.

Assessed type

Timing

c4-judge commented 4 months ago

alcueca marked the issue as duplicate of #10

c4-judge commented 4 months ago

alcueca marked the issue as satisfactory

c4-judge commented 4 months ago

alcueca changed the severity to 3 (High Risk)

DadeKuma commented 4 months ago

Not a dup. What I'm saying here is that loans have no time limits. Even if #10 is fixed, this won't be fixed for loans with a low interest. Funds can be locked for years, and lenders have no way to extract the collateral. Loans with zero interest can be locked forever. Please re-check.

Arabadzhiew commented 4 months ago

I agree, this issue is not a dup of #10. However, given that there is no incentive for users to not close their borrow positions for long periods of time, since their loans will always be over-collateralized and they will be accruing more interest fees the more they keep their borrowed SOL, and also that them loosing access to their private key is a very unlikely scenario, I believe that the severity of this issue is borderline Medium/Low.

alcueca commented 4 months ago

The design includes borrowing rates, which is the usual mechanism to ensure that loans are repaid. Refactoring the protocol to include fixed terms seems out of scope to me. I'm accepting this issue as a duplicate of #10 as it rightly points out the issue that loans can stay open forever, even if the remediation suggested is not optimal.

c4-judge commented 3 months ago

alcueca changed the severity to 2 (Med Risk)

c4-judge commented 3 months ago

alcueca changed the severity to 3 (High Risk)

c4-judge commented 3 months ago

alcueca changed the severity to 2 (Med Risk)

thebrittfactor commented 3 months ago

Based on the Appellate Court Decision here, this issue has been upgraded to High severity.