search

sherlock-audit / 2023-01-ajna-judging

1 stars 0 forks source link

Avci - user can borrow more than what he puts as collateral #178

Closed github-actions[bot] closed 1 year ago

github-actions[bot] commented 1 year ago

Avci

high

user can borrow more than what he puts as collateral

Summary

in function of drawdebt the function doesn't check if user want to borrow more than what he putted as collateral

Vulnerability Detail

Impact

an attacker can steal funds with paying very low collateral and never pay the loan

Code Snippet


  function drawDebt(
        address borrowerAddress_,
        uint256 amountToBorrow_,
        uint256 limitIndex_,
        uint256 collateralToPledge_
    ) external nonReentrant {
        PoolState memory poolState = _accruePoolInterest();

        // ensure the borrower is not credited with a fractional amount of collateral smaller than the token scale
        collateralToPledge_ = _roundToScale(collateralToPledge_, _bucketCollateralDust(0));

        DrawDebtResult memory result = BorrowerActions.drawDebt(
            auctions,
            buckets,
            deposits,
            loans,
            poolState,
            borrowerAddress_,
            amountToBorrow_,
            limitIndex_,
            collateralToPledge_
        );

        emit DrawDebt(borrowerAddress_, amountToBorrow_, collateralToPledge_, result.newLup);

        // update pool interest rate state
        poolState.debt       = result.poolDebt;
        poolState.collateral = result.poolCollateral;
        _updateInterestState(poolState, result.newLup);

        if (collateralToPledge_ != 0) {
            // update pool balances state
            if (result.t0DebtInAuctionChange != 0) {
                poolBalances.t0DebtInAuction -= result.t0DebtInAuctionChange;
            }
            poolBalances.pledgedCollateral += collateralToPledge_;

            // move collateral from sender to pool
            _transferCollateralFrom(msg.sender, collateralToPledge_);
        }

        if (amountToBorrow_ != 0) {
            // update pool balances state
            poolBalances.t0Debt += result.t0DebtChange;

            // move borrowed amount from pool to sender
            _transferQuoteToken(msg.sender, amountToBorrow_);
        }
    }```
## Tool used

Manual Review

## Recommendation
check collateral amount with borrow req amount
dmitriia commented 1 year ago

BorrowerActions.drawDebt does the check:

if (!_isCollateralized(vars.borrowerDebt, borrower.collateral, result_.newLup, poolState_.poolType)) {
    revert BorrowerUnderCollateralized();
}