nikhilx0111 - function acceptLoanOfferAndFillOrder will revert when a loan amount is fully filled

[sherlock-admin4]

nikhilx0111

High

function acceptLoanOfferAndFillOrder will revert when a loan amount is fully filled

Summary

The acceptLoanOfferAndFillOrder function accepts a loan offer, validates the proposal and order, calculates required collateral, and fulfills the order. It manages fees and collateral handling; however, due to an assertion check, the function will revert when the loan is being fully filled.

The function acceptLoanOfferAndFillOrder calls _assertProposalValidity(proposalId, proposal, positionId, fulfillAmount),

    _assertProposalValidity(proposalId, proposal, positionId, fulfillAmount);

which then calls

    _assertFulfillAmountNotTooHigh(fulfillAmount, fulfillment.loanAmount, loanAmount);

The _assertFulfillAmountNotTooHigh function checks if the total fulfill amount is greater than the loan amount:

function _assertFulfillAmountNotTooHigh(
    uint256 fulfillAmount,
    uint256 fulfilledAmount,
    uint256 loanAmount
) private pure {
    if (fulfilledAmount + fulfillAmount > loanAmount) {
        revert FulfillAmountTooHigh();

As we can see, the function reverts if the fulfill amount exceeds the loan amount.

Now, in the acceptLoanOfferAndFillOrder function, the fulfill amount is calculated as:

    bytes32 proposalId = hashProposal(proposal);
    uint256 protocolFee = (exchangeOrder.takerAmount * protocolFeeBasisPoints) / 10_000;
    uint256 fulfillAmount = exchangeOrder.takerAmount + protocolFee;  /////@audit 
    _assertProposalValidity(proposalId, proposal, positionId, fulfillAmount);

the fullfill amount is calculated as protocolfee+ exchangeorder.takeramount

As a result, the fulfill amount will always exceed the loan amount when the loan is being fully filled due to the addition of the protocol fee, which will cause the revert.

Root Cause

https://github.com/sherlock-audit/2024-09-predict-fun/blob/41e70f9eed3f00dd29aba4038544150f5b35dccb/predict-dot-loan/contracts/PredictDotLoan.sol#L236

https://github.com/sherlock-audit/2024-09-predict-fun/blob/41e70f9eed3f00dd29aba4038544150f5b35dccb/predict-dot-loan/contracts/PredictDotLoan.sol#L1432

https://github.com/sherlock-audit/2024-09-predict-fun/blob/41e70f9eed3f00dd29aba4038544150f5b35dccb/predict-dot-loan/contracts/PredictDotLoan.sol#L1281-L1287

https://github.com/sherlock-audit/2024-09-predict-fun/blob/41e70f9eed3f00dd29aba4038544150f5b35dccb/predict-dot-loan/contracts/PredictDotLoan.sol#L235

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

acceptloanofferandfillorder function will always revert when trying to fully fill a loan

PoC

• Alice is the lender.

• Bob is the borrower.

  Loan Details

• Bob wants to borrow a total loan amount of **1000 tokens

• The protocol fee is set at 2%, which translates to 20 tokens

  Exchange Order

• Bob’s exchangeOrder.takerAmount` is 1000 tokens.

  Calculation of Fulfill Amount**:

  uint256 protocolFee = (exchangeOrder.takerAmount * protocolFeeBasisPoints) / 10_000; uint256 fulfillAmount = exchangeOrder.takerAmount + protocolFee; // 1000 + 20 = 1020

  Here, the fulfillAmount is calculated as:

  {fulfillAmount} = 1000 + 20 = 1020

  Assertion Check

• When the function calls _assertFulfillAmountNotTooHigh, it checks:

  _assertFulfillAmountNotTooHigh(fulfillAmount, fulfilledAmount, loanAmount);

  0 + 1020 > 1000 { (loanAmount)}

  This condition is true, and the assertion will trigger a revert:

  revert FulfillAmountTooHigh();

Mitigation

dont add the protocol fee in while calculating the fullfill amount