Open sherlock-admin4 opened 2 months ago
Can you elaborate on why this is a problem and what the code fix should be ? perhaps with tests before and after? i dont understand. thanks .
Seems weird to say that them fully paying the loan is a problem.
Ok i think this actually may pose a problem. if the price of the collateral goes up super high, it could become a race to make these two calls . the issue is that ANYONE can repay the loan for 1x , not that the original borrower can .
We may need to a way to allow the lender group contract to 'close' defaulted loans (that are owed to it) in such a way as to prevent anyone repaying them and thus arbitrarily modifying the "getAmountDue" to mess with this liquidation calculation
The protocol team fixed this issue in the following PRs/commits: https://github.com/teller-protocol/teller-protocol-v2-audit-2024/pull/41
The Lead Senior Watson signed off on the fix.
pkqs90
medium
Users can bypass auction mechanism for
LenderCommitmentGroup_Smart
liquidation mechanism for loans that are close to end of loanSummary
LenderCommitmentGroup_Smart
has an auction mechanism for users to help liquidate default loans. The auction begins from 8x of amountOwed gradually decreasing to 0x. However, for loans that are close to end of loan, users can bypass this mechanism and pay only 1x of amountOwed to perform liquidation.Vulnerability Detail
For loans that are close to end of loan, the calculated due date and default timestamp will not change upon a repay. See function
getLoanDefaultTimestamp()
which callscalculateNextDueDate()
. If the calculateddueDate
is larger thanendOfLoan
, the due date will returnendOfLoan
.This means for a loan that is close to the end of loan, and is already default. The normal way to liquidate would be participating the auction using
liquidateDefaultedLoanWithIncentive()
.However, a user can first repay the collateral by
TellerV2#repayLoanFullWithoutCollateralWithdraw
and make the amountOwed equal to zero, then callliquidateDefaultedLoanWithIncentive()
and pass_tokenAmountDifference == 0
. Since the due date does not change upon a repay, the loan is still in default, and the user can successfully perform the liquidation.If the user participated the auction, he would have to pay 8x the amount of tokens. However, by repaying in TellerV2, he only needs to pay 1x and can perform the liquidation.
Impact
For loans that are close to end of loan, users can bypass auction mechanism and pay only 1x of amountOwed to perform liquidation.
Code Snippet
Tool used
Manual review
Recommendation
If a loan is already close to end of loan date, only allow the lender to repay.