Borrower Receives Less Than Expected Loan Amount Due to Protocol Fee Deduction
Summary
In the acceptLoanOffer() and acceptBorrowOffer() functions, the _acceptOffer() internal function is responsible for handling the offer acceptance process. This function calls _transferLoanAmountAndProtocolFee(), which deducts the protocol fee from the loan amount before transferring the remaining amount to the borrower. This behavior results in the borrower receiving less than the expected loan amount, leading to an inaccurate fulfillment of the loan agreement.
Specifically, when Alice (the lender) accepts Bob’s (the borrower’s) loan offer, Bob receives a reduced amount due to the protocol fee deduction, though he is still required to provide the full collateral and repay the original loan amount. This creates an imbalance in the loan agreement, which could lead to repayment issues and borrower dissatisfaction.
Root Cause
The core issue lies in the _transferLoanAmountAndProtocolFee() function, where the protocol fee is deducted from the loan amount before being transferred to the borrower. The borrower is expected to receive the full loan amount but ends up receiving less due to the protocol fee deduction.
Here is the relevant code that highlights the problem:
Instead of transferring the full $500 \times 10^{18}$ USDB to Bob, the _transferLoanAmountAndProtocolFee() function deducts the protocol fee from the loan amount:
Bob only receives $495 \times 10^{18} \, \text{USDB}$, which is less than the agreed loan amount of $500 \times 10^{18} \, \text{USDB}$.
Collateral Transfer:
Bob transfers the collateral of $500 \times 10^{18} \, \text{CTF}$ to the predictDotLoan contract.
Loan Creation:
A loan is created where Bob owes Alice $500 \times 10^{18} \, \text{USDB}$ plus interest, but Bob only received $495 \times 10^{18} \, \text{USDB}$. This discrepancy could lead to repayment issues.
Impact
The borrower receives less than the intended loan amount due to the deduction of the protocol fee. This discrepancy could cause issues with loan repayment, as the borrower still needs to repay the full loan amount, despite receiving a reduced amount. In the worst-case scenario, this could lead to borrower default or disputes between the lender and borrower.
PoC
Commands to run the test:
# To run the following POC paste the below code in PredictDotLoan_AcceptBorrowRequest.t.sol file
# And run this command
forge test --mt test_acceptBorrowRequest_EIP1271_Bluedragon -vv
Add the following in the TesHelper.sol::setUp() function:
Logs:
CTF balance of wallet before loan is accepted: 1000000000000000000000
----------------------------------------------------
Balance of USDB before loan is accepted: 0
----------------------------------------------------
CTF balance of wallet after loan is accepted: 0
----------------------------------------------------
Actual loan amount: 700000000000000000000
----------------------------------------------------
Balance of USDB received: 693000000000000000000
Mitigation
To resolve this issue, the protocol fee should be charged separately from the loan amount so that the borrower receives the full loan amount.
Overt Fossilized Elephant
Medium
Borrower Receives Less Than Expected Loan Amount Due to Protocol Fee Deduction
Summary
In the
acceptLoanOffer()
andacceptBorrowOffer()
functions, the_acceptOffer()
internal function is responsible for handling the offer acceptance process. This function calls_transferLoanAmountAndProtocolFee()
, which deducts the protocol fee from the loan amount before transferring the remaining amount to the borrower. This behavior results in the borrower receiving less than the expected loan amount, leading to an inaccurate fulfillment of the loan agreement.Specifically, when Alice (the lender) accepts Bob’s (the borrower’s) loan offer, Bob receives a reduced amount due to the protocol fee deduction, though he is still required to provide the full collateral and repay the original loan amount. This creates an imbalance in the loan agreement, which could lead to repayment issues and borrower dissatisfaction.
Root Cause
The core issue lies in the
_transferLoanAmountAndProtocolFee()
function, where the protocol fee is deducted from the loan amount before being transferred to the borrower. The borrower is expected to receive the full loan amount but ends up receiving less due to the protocol fee deduction.Here is the relevant code that highlights the problem:
https://github.com/sherlock-audit/2024-09-predict-fun/blob/main/predict-dot-loan/contracts/PredictDotLoan.sol#L889-L899
Internal pre-conditions
ProtocolFeeBasisPoints
greater than 0External pre-conditions
No response
Attack Path
Bob’s Loan Proposal:
Alice Accepts Bob’s Loan Offer:
Protocol Fee Calculation: The protocol fee is calculated as follows:
$$\text{Protocol Fee} = \frac{500 \times 10^{18} \times 1}{10,000} = 5 \times 10^{18} \, \text{USDB}$$
Incorrect Transfer to Bob:
Instead of transferring the full $500 \times 10^{18}$ USDB to Bob, the
_transferLoanAmountAndProtocolFee()
function deducts the protocol fee from the loan amount:$$\text{Amount Transferred to Bob} = 500 \times 10^{18} - 5 \times 10^{18} = 495 \times 10^{18} \, \text{USDB}$$
Bob only receives $495 \times 10^{18} \, \text{USDB}$, which is less than the agreed loan amount of $500 \times 10^{18} \, \text{USDB}$.
Collateral Transfer:
predictDotLoan
contract.Loan Creation:
Impact
The borrower receives less than the intended loan amount due to the deduction of the protocol fee. This discrepancy could cause issues with loan repayment, as the borrower still needs to repay the full loan amount, despite receiving a reduced amount. In the worst-case scenario, this could lead to borrower default or disputes between the lender and borrower.
PoC
Commands to run the test:
Add the following in the
TesHelper.sol::setUp()
function:Here is the POC code
Here is the output of the test:
Mitigation
To resolve this issue, the protocol fee should be charged separately from the loan amount so that the borrower receives the full loan amount.