XO-repayDebt() function does not check limitIndex_ parameter for validity.
Summary
The repayDebt() function in the IERC20PoolBorrowerActions interface does not check the limitIndex_parameter for validity. This means that an attacker could potentially set the limitIndex_parameter to a very high value, which would allow them to pull more collateral than they are entitled to.
the IERC20PoolBorrowerActions interface has a vulnerability present in the repayDebt() function, so interface IERC20PoolBorrowerActions. It defines two functions: drawDebt() and repayDebt().
The drawDebt() function allows borrowers to add collateral to the pool and/or borrow quote from the pool. The repayDebt() function allows borrowers to repay borrowed quote to the pool, and/or pull collateral form the pool. So the problem is in the repayDebt() function. The function takes a parameter called limitIndex_. This parameter is used to ensure that the LUP has not moved far from its state when the borrower pulls collateral, the limitIndex_ parameter is not checked for validity. This means that an attacker could set the limitIndex_ parameter to a very high value, which would allow them to pull more collateral than they are entitled to.
Impact
an attacker can exploit the vulnerability as :
Set the limitIndex_parameter to a very high value.
Call the repayDebt() function.
The borrower will be able to pull more collateral than they are entitled to.
The borrower can then sell the collateral for a profit.
the repayDebt() function should check the. limitIndex_ parameter for validity. The function should only allow the borrower to pull collateral if the limitIndex_ parameter is less than or equal to the current LUP.
XDZIBEC
high
XO-
repayDebt()function does not checklimitIndex_ parameterfor validity.Summary
The
repayDebt()function in theIERC20PoolBorrowerActionsinterface does not check thelimitIndex_parameterfor validity. This means that an attacker could potentially set thelimitIndex_parameterto a very high value, which would allow them to pull more collateral than they are entitled to.Vulnerability Detail
the
IERC20PoolBorrowerActionsinterface has a vulnerability present in therepayDebt()function, so interfaceIERC20PoolBorrowerActions.It defines two functions:drawDebt()andrepayDebt().The
drawDebt()function allows borrowers to add collateral to the pooland/orborrow quote from the pool. TherepayDebt()function allows borrowers to repay borrowed quote to the pool,and/orpull collateral form the pool. So the problem is in therepayDebt()function. The function takes a parameter calledlimitIndex_.This parameter is used to ensure that theLUPhas not moved far from its state when the borrower pulls collateral, thelimitIndex_parameter is not checked for validity. This means that an attacker could set thelimitIndex_parameter to a very high value, which would allow them to pull more collateral than they are entitled to.Impact
an attacker can exploit the vulnerability as :
Set the
limitIndex_parameterto a very high value.Call the
repayDebt()function.The borrower will be able to pull more
collateralthan they are entitled to.The borrower can then sell the
collateralfor a profit.Code Snippet
https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-core/src/interfaces/pool/erc20/IERC20PoolBorrowerActions.sol#L34C24-L34C24
Tool used
Manual Review
Recommendation
repayDebt()function should check the.limitIndex_ parameterfor validity. The function should only allow the borrower to pull collateral if thelimitIndex_ parameteris less than or equal to the currentLUP.