search

sherlock-audit / 2023-01-ajna-judging

1 stars 0 forks source link

Jeiwan - Anyone who approved quote tokens to a pool can be forced to take #145

Open github-actions[bot] opened 1 year ago

github-actions[bot] commented 1 year ago

Jeiwan

high

Anyone who approved quote tokens to a pool can be forced to take

Summary

Taking may be executed on behalf of any address who approved spending of quote tokens to a pool: such address will pay quote tokens and will receive collateral.

Vulnerability Detail

ERC20Pool and ERC721Pool implement the take functions, which buy collateral from auction in exchange for quote tokens. The address to pull quote tokens from is specified in the callee_ argument, which allows anyone to call the functions and pass an address that has previously approved spending of the quote token to the pool. As a result, such an address will pay for the liquidation and will receive the collateral.

Impact

Anyone can initiate a take on behalf of another user. Such user can be a lender who has previously approved spending of the quote token to the pool. Calling take with the user's address specified as the callee_ argument will result in:

  1. the user receiving collateral, which may have low value;
  2. the user paying the quote token to repay the debt being taken.

    Code Snippet

    ERC20Pool.sol#L460 ERC721Pool.sol#L463

    Tool used

    Manual Review

    Recommendation

    In the ERC20Pool.take and ERC721Pool.take functions, consider transferring collateral only from msg.sender. Alternatively, consider checking that callee_ has approved spending quote tokens to msg.sender.