sherlock-admin2
commented
1 year ago 2 comment(s) were left on this issue during the judging contest.
tsvetanovv commented:
Invalid. I think the function works as it should
tsvetanovv commented:
Invalid. I think the function works as it should
ReadyPlayer2
high
Invalid caller bypass in LiquidityBorrowingManager.sol repay function
Summary
In LiquidityBorrowingManager.sol any caller can bypass the borrower check in order to repay a loan and receive collateral and profits from the open position.
Vulnerability Detail
In the
repay()function the check(msg.sender != borrowing.borrower && collateralBalance >= 0).revertError( ErrLib.ErrorCode.INVALID_CALLER );can be bypassed by any caller if the collateralBalance is less than zero.Impact
This could allow a caller to recieve holdToken and profits from the current open position by setting the emergency parameter to false or set it to true to force an emergancy loan closure.
Code Snippet
(msg.sender != borrowing.borrower && collateralBalance >= 0).revertError( ErrLib.ErrorCode.INVALID_CALLER );
Tool used
Manual Review
Recommendation
I would recommend the collateralBalance check be removed from this condition or for the logical and to be changed to a logical or.