Approved lenders and borrowers can cause DoS of the protocol #257
Labels
bug
Something isn't working
downgraded by judge
duplicate
This issue or pull request already exists
edited-by-warden
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Lines of code
https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPair.sol#L288-L315
Vulnerability details
Impact
In
FraxlendPair
is setter for approved lenders (resp. borrowers) accessible only to approved lenders (resp. borrowers). These setters allows to de/whitelist any lenders or borrowers.This can be critical if any approved lender or borrower decides to de-whitelist all other users.
Since, this issue requires elevated privileges, it is considered as a medium risk.
Proof of Concept
Alice is an approved borrower. She will decide to de-whitelist all other borrowers, except her. As a result, Alice is the only person in the protocol that can borrow assets (call the
borrowAsset
function).Steps:
#1 Call setApprovedBorrowers(, false) - (https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPair.sol#L307-L315)
Same approach applies respectively for approved lending. In that case it will cause that nobody is able to make new deposits, mints and liquidations.
Tools Used
Manual review
Recommended Mitigation Steps
Adjust the logic of setting approved borrowers and lenders.
The text was updated successfully, but these errors were encountered: