Closed howlbot-integration[bot] closed 2 months ago
User mistake
Unnecessary validation.
Users might set a longer maxDueDate
if they want and maxTenor
will be checked while creating a loan later.
hansfriese marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/actions/BuyCreditLimit.sol#L42
Vulnerability details
Description
In the
BuyCreditLimit
libraryvalidateBuyCreditLimit()
function properly validates that themaxDueDate
is not set beforeminTenor
:The
maxDueDate
allows the lender to do the following:maxDueDate
to 10 months, creating a limit to maximum length of a bid that can be matched with their offer However, considering the current checks it is possible for the lender to set themaxDueDate
( either by mistake, or due to lack of interest in setting such time limit ) to be after the last tenor on the maturity axis of the corresponding yield curve.Impact
According to the docs:
Size's front-end and back-end systems will help lenders and borrowers borrower to both: [...] and pick the best limit orders given user input preferences
meaning that the off-chain orderbook mechanism will choose the lowest available APR for the borrower's bid. This implies, that a borrower could, either on purpose or by chance, create a bid with just the right length for the lender's offer explained above, which would get him a 0% APR - a free loan. This is because the yield curve uses a linear fitting, so after the last point on the maturity (x) axis the yield value on the yield (y) axis is always 0%.
Proof of Concept
It might be argued that this check is not desirable in the following scenario:
maxTenor
is 6 monthsmaxDueDate
to the timestamp corresponding to the beginning of year 2025 However, even considering a scenario where the offer is not fulfilled for such a long time, the lender can always "cancel" their offer by selling their credit through the primary market to other lenders willing to wait.minTenor : 1 hours
,maxTenor : 5 * 365 days
just like in theDeploy.sol
contractmaxDueDate
to be greater thanblock.timestamp + tenors[tenors.length - 1]
.tenors[0]
equal to2 years
2 years
, so it's the best match in the eyes of the order book.Recommended Mitigation
Add the following check to
validateBuyCreditLimit()
function to ensuremaxDueDate
is not greater thantenors[tenors.length - 1]
:Note that this does NOT limit the lender's ability to cancel their offer through selling credit to other lenders.
Assessed type
Invalid Validation