Borrower's NFTs taken by lender by malicious ERC20 created
Summary
According to the document, the protocol does not require permission to use any ERC20 and ERC721. However, even if one complies with IERC20, malicious contracts can easily be created. These can be advantageous to the lender and damaging to the borrower's assets.
Vulnerability Detail
For example, create an ERC20 with the same name as a well-known ERC20 such as USDC. However, a mechanism can be added later to freely lock transfers or to allow only certain senders to send money. Using this ERC20, create an offer. A borrower who sees this and thinks it is a USDC sends an NFT and borrows the funds. After this, when the transfer is locked, the borrower cannot repay, and the NFT is stolen by a malicious lender through an auction.
innertia
high
Borrower's NFTs taken by lender by malicious ERC20 created
Summary
According to the document, the protocol does not require permission to use any ERC20 and ERC721. However, even if one complies with IERC20, malicious contracts can easily be created. These can be advantageous to the lender and damaging to the borrower's assets.
Vulnerability Detail
For example, create an ERC20 with the same name as a well-known ERC20 such as USDC. However, a mechanism can be added later to freely lock transfers or to allow only certain senders to send money. Using this ERC20, create an offer. A borrower who sees this and thinks it is a USDC sends an NFT and borrows the funds. After this, when the transfer is locked, the borrower cannot repay, and the NFT is stolen by a malicious lender through an auction.
Impact
Borrowed NFT stolen.
Code Snippet
After the loan is approved, the ERC20 contract is updated to inhibit this. https://github.com/sherlock-audit/2023-02-kairos/blob/main/kairos-contracts/src/RepayFacet.sol#L57
Tool used
Manual Review
Recommendation
At the very least, a whitelist system should be introduced for the ERC20.