Loan with less Collateral amount and more Loan Amount will be created during auction()
Summary
Whenever the proposal duration will be over , lender will call the auction for loan as borrower would have not repayed the loan. So while creating new loan when new lender takes over loan the main invariant
'Collateralization ratio must be at least 100%. Revert if the collateral amount is less than the loan amount.'
this invariant is not properly followed while creating the new loan here.
When lender has created proposal with x loan token and x collateral token. And borrower has accepted the loan as it is 100% collaterization ratio. Now when proposal duration is over and still borrower has not repayed the loan. lender will call call() and auction will get started. Now the scenario is new lender can take over this loan but he has to loan amount = x + interest accrued during loan and also + protocol fee 2%. Old lender will get his loan amount as new lender takes over. But in this case collateral is still x.
so now scenario has become (x + something) (protocol fee + debt) and x collateral for new loan which is being created by new lender.
now collateralization ratio would be collateral amount / loan amount. which is less than 1 and means less than 100%. while no new loan should be created in this way.
Internal pre-conditions
1) lender creates proposal with 100% ratio
2) borrow accepts and loan is creaed
3) if borrower not repays , auction is called
4) new lender takes over the loan by giving necessary loan amount to old lender
External pre-conditions
No response
Attack Path
No response
Impact
main check regarding _assertCollateralizationRatioAtLeastOneHundredPercent() will be broke and loan will be created with less ratio
PoC
No response
Mitigation
As done in all fucntion wherever createLoan is called. check with fucntion regarding 100% collateral ratio should be checked in auction as well
Main Seaweed Condor
High
Loan with less Collateral amount and more Loan Amount will be created during auction()
Summary
Whenever the proposal duration will be over , lender will call the auction for loan as borrower would have not repayed the loan. So while creating new loan when new lender takes over loan the main invariant
'Collateralization ratio must be at least 100%. Revert if the collateral amount is less than the loan amount.'
this invariant is not properly followed while creating the new loan here.
Root Cause
https://github.com/sherlock-audit/2024-09-predict-fun/blob/main/predict-dot-loan/contracts/PredictDotLoan.sol#L561C4-L606C1
https://github.com/sherlock-audit/2024-09-predict-fun/blob/main/predict-dot-loan/contracts/PredictDotLoan.sol#L1227C4-L1241C6
When lender has created proposal with x loan token and x collateral token. And borrower has accepted the loan as it is 100% collaterization ratio. Now when proposal duration is over and still borrower has not repayed the loan. lender will call call() and auction will get started. Now the scenario is new lender can take over this loan but he has to loan amount = x + interest accrued during loan and also + protocol fee 2%. Old lender will get his loan amount as new lender takes over. But in this case collateral is still x.
so now scenario has become (x + something) (protocol fee + debt) and x collateral for new loan which is being created by new lender. now collateralization ratio would be collateral amount / loan amount. which is less than 1 and means less than 100%. while no new loan should be created in this way.
Internal pre-conditions
1) lender creates proposal with 100% ratio 2) borrow accepts and loan is creaed 3) if borrower not repays , auction is called 4) new lender takes over the loan by giving necessary loan amount to old lender
External pre-conditions
No response
Attack Path
No response
Impact
main check regarding _assertCollateralizationRatioAtLeastOneHundredPercent() will be broke and loan will be created with less ratio
PoC
No response
Mitigation
As done in all fucntion wherever createLoan is called. check with fucntion regarding 100% collateral ratio should be checked in auction as well