iamnmt - The last lender of a partially fulfilled borrow request might have a significantly higher collateral ratio than the collateral ratio specified in the borrow request #125
The last lender of a partially fulfilled borrow request might have a significantly higher collateral ratio than the collateral ratio specified in the borrow request
Summary
The last lender of a partially fulfilled borrow request might have a significantly higher collateral ratio than the collateral ratio specified in the borrow request.
Root Cause
In _acceptOffer, the collateralAmountRequired is the leftover collateral when the borrow request is fully filled
The borrower can use matchProposals to match their borrow request to a better loan offer, which has a lower collateral ratio than the ratio of the borrow request
If the borrower has used their borrow request to match with the lower collateral ratio loan offer, then the last lender that fully accepts the borrow request will have a significantly higher collateral ratio than the collateral ratio specified in the borrow request.
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
Alice signs a borrow request that has collateralAmount = 20 ether, and loanAmount = 10 ether (collateral ratio = 200%)
Bob signs a loan offer that has collateralAmount = 5 ether, and loanAmount = 5 ether (collateral ratio = 100%)
Since Bob's loan offer has a lower collateral ratio than her borrow request, the loan offer is better for her. Alice matches Bob's loan offer against her. Current states:
fulfillment.collateralAmount = 15 ether
fulfillment.loanAmount = 5 ether
Cindy fully accepts Alice's borrow request, and Cindy benefits from a loan with high collateral ratio (15 ether / 5 ether = 300%)
We believe the loan should only have a collateral ratio lower than or equal to 200%.
Impact
The last lender (Cindy) might have a significantly higher collateral ratio than the collateral ratio specified in the borrow request
The borrower (Alice) will have a loan that has a higher collateral ratio than expected.
PoC
Add a view function in PredictDotLoan to check the collateral ratio of a loan
iamnmt
Medium
The last lender of a partially fulfilled borrow request might have a significantly higher collateral ratio than the collateral ratio specified in the borrow request
Summary
The last lender of a partially fulfilled borrow request might have a significantly higher collateral ratio than the collateral ratio specified in the borrow request.
Root Cause
In
_acceptOffer
, thecollateralAmountRequired
is the leftover collateral when the borrow request is fully filledhttps://github.com/sherlock-audit/2024-09-predict-fun/blob/41e70f9eed3f00dd29aba4038544150f5b35dccb/predict-dot-loan/contracts/PredictDotLoan.sol#L983
The borrower can use
matchProposals
to match their borrow request to a better loan offer, which has a lower collateral ratio than the ratio of the borrow requesthttps://github.com/sherlock-audit/2024-09-predict-fun/blob/41e70f9eed3f00dd29aba4038544150f5b35dccb/predict-dot-loan/contracts/PredictDotLoan.sol#L351-L356
then the collateral ratio of the loan is the collateral ratio of the loan offer
https://github.com/sherlock-audit/2024-09-predict-fun/blob/41e70f9eed3f00dd29aba4038544150f5b35dccb/predict-dot-loan/contracts/PredictDotLoan.sol#L395-L399
If the borrower has used their borrow request to match with the lower collateral ratio loan offer, then the last lender that fully accepts the borrow request will have a significantly higher collateral ratio than the collateral ratio specified in the borrow request.
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
collateralAmount = 20 ether
, andloanAmount = 10 ether
(collateral ratio = 200%)collateralAmount = 5 ether
, andloanAmount = 5 ether
(collateral ratio = 100%)fulfillment.collateralAmount = 15 ether
fulfillment.loanAmount = 5 ether
We believe the loan should only have a collateral ratio lower than or equal to 200%.
Impact
PoC
Add a view function in
PredictDotLoan
to check the collateral ratio of a loanRun command:
forge test --match-path test/foundry/PoC.t.sol -vv
Logs:
Mitigation
In
_calculateCollateralAmountRequired
, thecollateralAmountRequired
is the leftover collateral only when the leftover amounts are only a few weis.THRESHOLD
could be10
.