smbv-1923 - Breaking of `Collateralization Ratio At LeastOneHundredPercent` invariant during `auction()`

[sherlock-admin2]

smbv-1923

Medium

Breaking of Collateralization Ratio At LeastOneHundredPercent invariant during auction()

Summary

Breaking of Collateralization Ratio At LeastOneHundredPercent invariant during auction()

Root Cause

• There is no check to prevent the Collateralization Ratio At LeastOneHundredPercent invariant.
• In other functions like refinance ,acceptLoan the invariant is checked but not in auction()
• https://github.com/sherlock-audit/2024-09-predict-fun/blob/main/predict-dot-loan/contracts/PredictDotLoan.sol#L561

Internal pre-conditions

• Borrower should not have payed debt during loan Duration so that lender can call() for auctioning loan purpose.
• Then newLender calls auction() and then Collateralization Ratio At LeastOneHundredPercent invariant breaks as they allowing loanAmount > collateralAmount

External pre-conditions

• Given example in root cause

Attack Path

• Under certain circumstances while calling auction() it breaks the Collateralization Ratio At LeastOneHundredPercent invariant
• Let's understand vulnerability through scenario.
• Suppose Borrower has accepted a loan from lender in which collateralAmount = 1000 ether and loanAmount = 1000 ether and time duration of loan = 6 months and 10% APY.
• Now Borrower doesn't pay loan amount till duration of loan.
• Then Lender call() the loan as user didn't pay interest.
• Now new lender comes and call auction() to take the loan.
• New lender transfers the debt + protocol fee to old lender.
• Now new loan gets created with old collateral amount and new loan amount

  newLoan.collateralAmount = loan.collateralAmount;
  newLoan.loanAmount = debt + protocolFee;

• So the new loan's collateral amount will be 1000 etherand new loan amount would be oldAmount + fee + interest accrued, we can suppose new loan amount would 1100 ether.
• So now in the new loan loanAmount > collateralAmount which breaks the Collateralization Ratio At LeastOneHundredPercent invariant.

   function _assertCollateralizationRatioAtLeastOneHundredPercent(
      uint256 collateralAmount,
      uint256 loanAmount
  ) private pure {
      if (collateralAmount < loanAmount) {
          revert CollateralizationRatioTooLow();
      }
  }

Impact

• Breaking of Collateralization Ratio At LeastOneHundredPercent main invariant which leads new lender getting under-collaterized loan.

PoC

No response

Mitigation

• The Collateralization Ratio At LeastOneHundredPercent invariant should be checked while auction()

[sherlock-admin2]

The protocol team fixed this issue in the following PRs/commits: https://github.com/PredictDotFun/predict-dot-loan/pull/39