Each loan taking up at least 10% of the proposal's loan amount is a protocol invariant that doesn't hold in all cases
Summary
According to README, we see that each loan must take up at least 10% of the proposal's loan amount:
Each loan must take up at least 10% of the proposal’s loan amount
However, that is not the case and the invariant can be broken.
Root Cause
Whenever a proposal is fully filled, people can still create loans by putting 0 as the amount to fill. This passes all checks and successfully breaks the invariant as 0 is 0% of the proposal's loan amount.
Internal pre-conditions
A fully filled proposal which isn't cancelled
External pre-conditions
No external pre-conditions
Attack Path
A proposal is fully filled
User accepts that proposal by setting 0 as the amount to fill
Every check passes creating as we don't end up in this if check (0 == loanAmount - fulfilledAmount as the loan is filled):
if (fulfillAmount != loanAmount - fulfilledAmount)
This can be done endlessly until the proposal is cancelled, breaking the protocol invariant every single time
Impact
A core protocol invariant is broken and it causes the following unwanted behavior based on the README:
It would be a nightmare for both sides if they have to manage tens of thousands of loans.
Plain Red Puma
Medium
Each loan taking up at least 10% of the proposal's loan amount is a protocol invariant that doesn't hold in all cases
Summary
According to README, we see that each loan must take up at least 10% of the proposal's loan amount:
However, that is not the case and the invariant can be broken.
Root Cause
Whenever a proposal is fully filled, people can still create loans by putting 0 as the amount to fill. This passes all checks and successfully breaks the invariant as 0 is 0% of the proposal's loan amount.
Internal pre-conditions
External pre-conditions
No external pre-conditions
Attack Path
Impact
A core protocol invariant is broken and it causes the following unwanted behavior based on the README:
PoC
No response
Mitigation
No response