Closed github-actions[bot] closed 1 year ago
Avci
high
borrower repay 90% of amount and attacker can pay only 10% and get borrower collateral
attacker act like borrower
loss
function repayDebt( address borrowerAddress_, uint256 maxQuoteTokenAmountToRepay_, uint256 collateralAmountToPull_ ) external nonReentrant { PoolState memory poolState = _accruePoolInterest(); // ensure accounting is performed using the appropriate token scale maxQuoteTokenAmountToRepay_ = _roundToScale(maxQuoteTokenAmountToRepay_, _getArgUint256(QUOTE_SCALE)); collateralAmountToPull_ = _roundToScale(collateralAmountToPull_, _bucketCollateralDust(0)); RepayDebtResult memory result = BorrowerActions.repayDebt( auctions, buckets, deposits, loans, poolState, borrowerAddress_, maxQuoteTokenAmountToRepay_, collateralAmountToPull_ ); emit RepayDebt(borrowerAddress_, result.quoteTokenToRepay, collateralAmountToPull_, result.newLup); // update pool interest rate state poolState.debt = result.poolDebt; poolState.collateral = result.poolCollateral; _updateInterestState(poolState, result.newLup); if (result.quoteTokenToRepay != 0) { // update pool balances state poolBalances.t0Debt -= result.t0RepaidDebt; if (result.t0DebtInAuctionChange != 0) { poolBalances.t0DebtInAuction -= result.t0DebtInAuctionChange; } // move amount to repay from sender to pool _transferQuoteTokenFrom(msg.sender, result.quoteTokenToRepay); } if (collateralAmountToPull_ != 0) { // update pool balances state poolBalances.pledgedCollateral = result.poolCollateral; // move collateral from pool to sender _transferCollateral(msg.sender, collateralAmountToPull_); } }``` ## Tool used Manual Review ## Recommendation check borrower is the actual borrower
Avci
high
repayDebt function in ERC20Pool, doesn't check borrowerAddress_ is submited by msg.sender
Summary
borrower repay 90% of amount and attacker can pay only 10% and get borrower collateral
Vulnerability Detail
attacker act like borrower
Impact
loss
Code Snippet