c4-bot-5 commented 3 months ago

Lines of code

Vulnerability details

C4 Issue

M-02: A malicious user can take on a loan using an existing borrower's collateral in refinanceFromLoanExecutionData()

Comments

Original vulnerabilities/impacts: In refinanceFromLoanExecutionData(), no checks to ensure that _loan.borrower == _loanExecutionData.borrower. The attack vector is that a different borrower can receive loan principals using the existing loan borrower’s collateral.

Mitigation

Fix: https://github.com/pixeldaogg/florida-contracts/pull/359/files

//src/lib/loans/MultiSourceLoan.sol
    function _validateExecutionData(LoanExecutionData calldata _executionData, address _borrower) private view {
        if (msg.sender != _borrower) {
            _checkSignature(
|>              _borrower, _executionData.executionData.hash(), _executionData.borrowerOfferSignature
            );
        }
...

The mitigation is (1) use the existing loan borrower (_loan.borrower) as the borrower for the new loan and (2) _validateExecutionData() is re-written to check executionData’s signature against the passed borrower (loan.borrower). This ensures that if msg.sender is not the existing loan borrower, checkSignature() will correctly ensure that loanExecutionData is signed by the existing loan borrower (_loan.borrower).

The attack vector of a different borrower taking out a new loan from the existing loan borrower is eliminated. Only the existing loan borrower will take on the new loan. The issue is resolved.

Test

The revised test is passing

Conclusion

LGTM

c4-judge commented 3 months ago

alex-ppg marked the issue as satisfactory