In the batch refinance function, the check for whether the borrower has enabled automatic refinancing (autoRefinancingEnabled[borrower] == 0) occurs after calling the _refinance function. This means that even if the borrower hasn’t enabled automatic refinancing, the contract has already made state changes (e.g., loan status updates, fund transfers), only to revert afterward. This not only wastes gas but can also lead to unexpected behavior.
Root Cause
No response
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
No response
Impact
Rollback after state changes: If the borrower has not enabled automatic refinancing, calling _refinance first leads to a full transaction rollback, undoing state changes (like loan updates or fund transfers). This wastes gas and might result in unexpected state inconsistencies.
Inefficiency: Multiple unnecessary operations (e.g., state changes, transfers) are performed before the error is detected and the transaction is reverted, increasing the overall gas cost of the transaction.
PoC
No response
Mitigation
Move the check for whether the borrower has enabled automatic refinancing before calling _refinance. This will prevent the unnecessary execution of operations and avoid wasteful rollbacks.
Slow Hazel Copperhead
Medium
Order of Operations in Batch Refinancing
Summary
https://github.com/sherlock-audit/2024-09-predict-fun/blob/main/predict-dot-loan/contracts/PredictDotLoan.sol
L500
In the batch refinance function, the check for whether the borrower has enabled automatic refinancing (autoRefinancingEnabled[borrower] == 0) occurs after calling the _refinance function. This means that even if the borrower hasn’t enabled automatic refinancing, the contract has already made state changes (e.g., loan status updates, fund transfers), only to revert afterward. This not only wastes gas but can also lead to unexpected behavior.
Root Cause
No response
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
No response
Impact
Rollback after state changes: If the borrower has not enabled automatic refinancing, calling _refinance first leads to a full transaction rollback, undoing state changes (like loan updates or fund transfers). This wastes gas and might result in unexpected state inconsistencies. Inefficiency: Multiple unnecessary operations (e.g., state changes, transfers) are performed before the error is detected and the transaction is reverted, increasing the overall gas cost of the transaction.
PoC
No response
Mitigation
Move the check for whether the borrower has enabled automatic refinancing before calling _refinance. This will prevent the unnecessary execution of operations and avoid wasteful rollbacks.