search

sherlock-audit / 2023-02-kairos-judging

2 stars 0 forks source link

0xmrhoodie - Lenders signature reusage in the same Loan #139

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

0xmrhoodie

false

Lenders signature reusage in the same Loan

Summary

Borrower can use the same Offer (or offchain signature being more technical) for one Loan multiple times using more offer.amount than expected by lender.

Vulnerability Detail

Lenders/suppliers can have many active Offers so they should have enough allowance for all of them. But also they may want to cover only certain amount/share of a Loan for some NFT (for risk management or whatever). But signature reuse could end in an undesirable situation where lenders covers more amount/share of a Loan of a NFT than desired.

Impact

Lenders can't handle their risk management by setting an amount in the Offer they sign if they want to have multiple active offers. The only way to handle it would be with their allowance but this collides with having multiple active offers as the allowance must be enough for the sum of all of them.

Code Snippet

diff --git a/Borrow.t.sol.orig b/Borrow.t.sol
index 549b731..fc788d3 100644
--- a/Borrow.t.sol.orig
+++ b/Borrow.t.sol
@@ -80,4 +80,22 @@ contract TestBorrow is External {
             assertEq(nft.ownerOf(i + 1), address(kairos));
         }
     }
+
+    function testBorrowSameOfferMultipleTimes() public {
+        BorrowArg[] memory borrowArgs = new BorrowArg[](1);
+        Offer memory offer = getOffer();
+        uint256 nbOfTimes = 5;
+        uint256 currentTokenId = getJpeg(BORROWER, nft);
+        OfferArg[] memory offerArgs = new OfferArg[](nbOfTimes);
+
+        getFlooz(signer, money, nbOfTimes * getOfferArg().amount);
+
+        for (uint256 i = 0; i < nbOfTimes; i++) {
+            offerArgs[i] = OfferArg({signature: getSignature(offer), amount: getOfferArg().amount, offer: offer});
+        }
+        borrowArgs[0] = BorrowArg({nft: NFToken({id: currentTokenId, implem: nft}), args: offerArgs});
+
+        vm.prank(BORROWER);
+        kairos.borrow(borrowArgs);
+    }
 }

Tool used

Manual Review Visual Studio Code Foundry

Recommendation

Use a mapping to avoid signatures reusage so Lenders can trust in what they sign.