Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Overpowered lender and borrower abilities, can lead to non-liquidatable loans #282

Closed
code423n4 opened this issue Aug 17, 2022 · 2 comments
Closed

Overpowered lender and borrower abilities, can lead to non-liquidatable loans #282

code423n4 opened this issue Aug 17, 2022 · 2 comments
Labels
bug Something isn't working downgraded by judge duplicate This issue or pull request already exists edited-by-warden QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@code423n4
Copy link
Contributor

code423n4 commented Aug 17, 2022
edited
Loading

Lines of code

https://github.com/code-423n4/2022-08-frax/blob/c4189a3a98b38c8c962c5ea72f1a322fbc2ae45f/src/contracts/FraxlendPair.sol#L288-L315
https://github.com/code-423n4/2022-08-frax/blob/c4189a3a98b38c8c962c5ea72f1a322fbc2ae45f/src/contracts/FraxlendPairCore.sol#L911-L917

Vulnerability details

Impact

A single lender can blacklist all other lenders. A single borrower can blacklist all other borrowers. Oppositely a single lender can whitelist any address and a single borrower can whitelist any address.

The most severe impact of such abilities is the fact that only approved lenders can liquidate loans. Therefore, they can remove all other lenders from the approved list and now all debt positions cannot be liquidated.

  • If the lender is also an approved borrower, they have a non-liquidatable position.
  • Since they are the only lender, they are the only one who can liquidate other borrow positions. This would result in a large profit for the attacker.

Proof of Concept

As stated above, the design allows for any lender or borrower to approve or revoke approvals for any other address. This design relies on the fact that all approved lenders and borrowers will act in good faith. Even a single malicious lender or borrower can blacklist all other lenders or borrower, or oppositely, approve as many addresses as desired.

    function setApprovedLenders(address[] calldata _lenders, bool _approval) external approvedLender(msg.sender) {
        for (uint256 i = 0; i < _lenders.length; i++) {
            // Do not set when _approval == false and _lender == msg.sender
            if (_approval || _lenders[i] != msg.sender) {
                approvedLenders[_lenders[i]] = _approval;
                emit SetApprovedLender(_lenders[i], _approval);
            }
        }
    }

    function setApprovedBorrowers(address[] calldata _borrowers, bool _approval) external approvedBorrower {
        for (uint256 i = 0; i < _borrowers.length; i++) {
            // Do not set when _approval == false and _borrower == msg.sender
            if (_approval || _borrowers[i] != msg.sender) {
                approvedBorrowers[_borrowers[i]] = _approval;
                emit SetApprovedBorrower(_borrowers[i], _approval);
            }
        }
    }

Non-liquidatable loan via approvedLender() modifier after removing all other lenders:

    function liquidate(uint256 _shares, address _borrower)
        external
        whenNotPaused
        nonReentrant
        approvedLender(msg.sender)
        returns (uint256 _collateralForLiquidator)
    {

Tools Used

Manual review.

Recommended Mitigation Steps

I imagine that a centralized party such as the contract admin should have control over such powerful setter functions.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Aug 17, 2022
code423n4 added a commit that referenced this issue Aug 17, 2022
@code423n4
0xDjango issue #282
b7d8bc9
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Aug 17, 2022
@code423n4 code423n4 changed the title Overpowered lender and borrower abilities to approve/disapprove entities Overpowered lender and borrower abilities, can lead to non-liquidatable loans Aug 17, 2022
@amirnader-ghazvini amirnader-ghazvini added the duplicate This issue or pull request already exists label Aug 29, 2022
@amirnader-ghazvini
Copy link
Collaborator

Duplicate of #157

@amirnader-ghazvini amirnader-ghazvini marked this as a duplicate of #157 Aug 29, 2022
@gititGoro gititGoro added downgraded by judge QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Sep 27, 2022
@gititGoro
Copy link
Collaborator

duplicate of #269

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge duplicate This issue or pull request already exists edited-by-warden QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gititGoro @amirnader-ghazvini @code423n4