search

sherlock-audit / 2024-09-predict-fun-judging

5 stars 4 forks source link

yaioxy - `auction` function does not check if collateral amount > debt + protocol fee #323

Open sherlock-admin2 opened 1 month ago

sherlock-admin2 commented 1 month ago

yaioxy

High

auction function does not check if collateral amount > debt + protocol fee

Summary

The auction function does not verify that the collateralization ratio is at least 100%, after calculating the new loan amount. This oversight can cause an undercollateralization vulnerability.

Root Cause

The PredictDotLoan::auction function transfers a loan to a new lender, the is calculated and the protocol takes a fee from this amount, resulting with a loan amount higher than the original one.

uint256 debt = _calculateDebt(loan.loanAmount, loan.interestRatePerSecond, callTime - loan.startTime);
uint256 protocolFee = (debt * protocolFeeBasisPoints) / 10_000;

and the new amount is now debt + protocolFee

newLoan.loanAmount = debt + protocolFee;

The issue is that the function does not recalculate or verify the collateral amount with this new loan amount. This oversight allows for the creation of new loans without ensuring the collateral-to-loan ratio is maintained, potentially resulting in undercollateralized positions.

Note that the collateral amount is checked in _refinance function but not in auction function.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

  1. The new lender may be exposed to a higher risk if the collateral does not sufficiently cover the new loan amount.
  2. The collateralization ratio of at least 100% is not met.
  3. The new loaner from the auction could potentially not be eligible to refinance feature, since it checks that the new collateralAmountRequired is greater than the loaner's collateralAmount 
    _refinance(.........
//.......
if (collateralAmountRequired > loan.collateralAmount) {
        revert InsufficientCollateral();
    }
//.....

    And since loan.collateralAmount is too low. this condition will always revert.

PoC

No response

Mitigation

Add a check

+ _assertCollateralizationRatioAtLeastOneHundredPercent(loan.collateralAmount, debt + protocolFee);
sherlock-admin2 commented 1 month ago

The protocol team fixed this issue in the following PRs/commits: https://github.com/PredictDotFun/predict-dot-loan/pull/39