1.Malicious borrower can use up loan offers by calling acceptLoanOffersAndFillOrders()
Summary
The function acceptLoanOfferAndFillOrder() allows borrowers to borrow from a proposal and use the loan to fill orders on the exchange. However since the borrower does not need to pay anything upfront, they can just use up loans and default them.
Root Cause
Anyone can use up loans, this is a design error.
Internal pre-conditions
None
External pre-conditions
None
Attack Path
call the function with an order that has the maker amount equal to the proposal's collateral amount.
Impact
This could lead to lenders not using the protocol at all since they never get interest on their loan. They might get the collateral tokens but no profits were made.
PoC
No response
Mitigation
The function should implement some checks in order to ensure that the borrower is not malicious. For example, making sure the borrower has some balance or only let verified borrowers or whales borrow and fill orders.
Urban Jetblack Mantaray
Medium
1.Malicious borrower can use up loan offers by calling acceptLoanOffersAndFillOrders()
Summary
The function acceptLoanOfferAndFillOrder() allows borrowers to borrow from a proposal and use the loan to fill orders on the exchange. However since the borrower does not need to pay anything upfront, they can just use up loans and default them.
Root Cause
Anyone can use up loans, this is a design error.
Internal pre-conditions
None
External pre-conditions
None
Attack Path
call the function with an order that has the maker amount equal to the proposal's collateral amount.
Impact
This could lead to lenders not using the protocol at all since they never get interest on their loan. They might get the collateral tokens but no profits were made.
PoC
No response
Mitigation
The function should implement some checks in order to ensure that the borrower is not malicious. For example, making sure the borrower has some balance or only let verified borrowers or whales borrow and fill orders.