search

sherlock-audit / 2024-04-teller-finance-judging

10 stars 9 forks source link

0xLogos - LenderCommitmentGroup_Smart can be tricked to account for not owned loans payments #209

Closed sherlock-admin2 closed 4 months ago

sherlock-admin2 commented 4 months ago

0xLogos

high

LenderCommitmentGroup_Smart can be tricked to account for not owned loans payments

Summary

Any lender can set LenderCommitmentGroup_Smart as callback receiver in setRepaymentListenerForBid and break its internal accounting.

Vulnerability Detail

In _repayLoan, callback is made to user controlled listener.

address loanRepaymentListener = repaymentListenerForBid[_bidId]; // set by lender
if (loanRepaymentListener != address(0)) {
    try
        ILoanRepaymentListener(loanRepaymentListener).repayLoanCallback{
            gas: 80000
        }(
            _bidId,
            _msgSenderForMarket(bid.marketplaceId),
            _payment.principal,
            _payment.interest
        )
    {} catch {}
}

LenderCommitmentGroup_Smart use this callback for internal accounting, but can be tricked to account for not owned loans.

function repayLoanCallback(
    uint256 _bidId,
    address repayer,
    uint256 principalAmount,
    uint256 interestAmount
) external onlyTellerV2 {
    totalPrincipalTokensRepaid += principalAmount;
    totalInterestCollected += interestAmount;
}

Impact

LenderCommitmentGroup_Smart internal accounting for totalPrincipalTokensRepaid and totalInterestCollected is broken which can cause underflow in getTotalPrincipalTokensOutstandingInActiveLoans() and inflate getPoolTotalEstimatedValue()

Code Snippet

https://github.com/sherlock-audit/2024-04-teller-finance/blob/defe55469a2576735af67483acf31d623e13592d/teller-protocol-v2-audit-2024/packages/contracts/contracts/TellerV2.sol#L1248-L1259

Tool used

Manual Review

Recommendation

Do not allow setting LenderCommitmentGroup_Smart as listener

Duplicate of #42