000000 - Each loan taking up at least 10% of the proposal's loan amount is a protocol invariant that doesn't hold in all cases

[sherlock-admin4]

000000

Medium

Each loan taking up at least 10% of the proposal's loan amount is a protocol invariant that doesn't hold in all cases

Summary

According to README, we see that each loan must take up at least 10% of the proposal's loan amount:

Each loan must take up at least 10% of the proposal’s loan amount

However, that is not the case and the invariant can be broken.

Root Cause

Whenever a proposal is fully filled, people can still create loans by putting 0 as the amount to fill. This passes all checks and successfully breaks the invariant as 0 is 0% of the proposal's loan amount.

Internal pre-conditions

1. A fully filled proposal which isn't cancelled

External pre-conditions

No external pre-conditions

Attack Path

1. A proposal is fully filled
2. User accepts that proposal by setting 0 as the amount to fill
3. Every check passes creating as we don't end up in this if check (0 == loanAmount - fulfilledAmount as the loan is filled):

   if (fulfillAmount != loanAmount - fulfilledAmount)

4. This can be done endlessly until the proposal is cancelled, breaking the protocol invariant every single time

Impact

A core protocol invariant is broken and it causes the following unwanted behavior based on the README:

It would be a nightmare for both sides if they have to manage tens of thousands of loans.

PoC

No response

Mitigation

No response

[sherlock-admin2]

The protocol team fixed this issue in the following PRs/commits: https://github.com/PredictDotFun/predict-dot-loan/pull/35