Original vulnerabilities/impacts:
The issue is the loan’s hashing function (Hash::hash) doesn’t include the protocolFee field. As a result, protocolFee will not be checked in _baseLoanChecks() where the stored loan hash is verified against user input.
This allows a user to input any protocolFee for a given loan and avoid paying the protocolFee.
The mitigation is to include protocolFee field in the loan’s hashing function. In addition, the mitigation updated the struct Loan’s typeHash with the correct fields.
Lines of code
Vulnerability details
C4 Issue
M-17: loan.hash() does not contain protocolFee
Comments
Original vulnerabilities/impacts: The issue is the loan’s hashing function (Hash::hash) doesn’t include the protocolFee field. As a result, protocolFee will not be checked in
_baseLoanChecks()
where the stored loan hash is verified against user input.This allows a user to input any protocolFee for a given loan and avoid paying the protocolFee.
Mitigation
Fix: https://github.com/pixeldaogg/florida-contracts/pull/388/files
The mitigation is to include protocolFee field in the loan’s hashing function. In addition, the mitigation updated the struct Loan’s typeHash with the correct fields.
The mitigation resolved the original issue.
Conclusion
LGTM