Overpowered lender and borrower abilities, can lead to non-liquidatable loans #282
Labels
bug
Something isn't working
downgraded by judge
duplicate
This issue or pull request already exists
edited-by-warden
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Lines of code
https://github.com/code-423n4/2022-08-frax/blob/c4189a3a98b38c8c962c5ea72f1a322fbc2ae45f/src/contracts/FraxlendPair.sol#L288-L315
https://github.com/code-423n4/2022-08-frax/blob/c4189a3a98b38c8c962c5ea72f1a322fbc2ae45f/src/contracts/FraxlendPairCore.sol#L911-L917
Vulnerability details
Impact
A single lender can blacklist all other lenders. A single borrower can blacklist all other borrowers. Oppositely a single lender can whitelist any address and a single borrower can whitelist any address.
The most severe impact of such abilities is the fact that only approved lenders can liquidate loans. Therefore, they can remove all other lenders from the approved list and now all debt positions cannot be liquidated.
Proof of Concept
As stated above, the design allows for any lender or borrower to approve or revoke approvals for any other address. This design relies on the fact that all approved lenders and borrowers will act in good faith. Even a single malicious lender or borrower can blacklist all other lenders or borrower, or oppositely, approve as many addresses as desired.
Non-liquidatable loan via
approvedLender()
modifier after removing all other lenders:Tools Used
Manual review.
Recommended Mitigation Steps
I imagine that a centralized party such as the contract admin should have control over such powerful setter functions.
The text was updated successfully, but these errors were encountered: