0x3b - `_sendOrEscrowFunds` will brick LCG funds causing insolvency
Opened this issue · 2 comments
0x3b
high
_sendOrEscrowFunds will brick LCG funds causing insolvency
Summary
LenderCommitmentGroup (LCG) will have its funds stuck if transferFrom inside _sendOrEscrowFunds reverts for some reason. This will increase the share price but not transfer any funds, causing insolvency.
Vulnerability Detail
_sendOrEscrowFunds has try and catch, where try attempts transferFrom, and if that fails, catch calls deposit on the EscrowVault. The try is implemented in case transferFrom reverts, ensuring the repay/liquidation call does not. If transferFrom reverts due to any reason, the tokens will be stored inside EscrowVault, allowing the lender to withdraw them at any time.
However, for LCG, if such a deposit happens, the tokens will be stuck inside EscrowVault since LCG lacks a withdraw implementation. The share price will still increase, as the next if will pass, but this will cause more damage to the pool. Not only did it lose capital, but it also became insolvent.
ILoanRepaymentListener(loanRepaymentListener).repayLoanCallback{gas: 80000}(
_bidId,
_msgSenderForMarket(bid.marketplaceId),
_payment.principal,
_payment.interest
)The pool is insolvent because the share value has increased, but the assets in the pool have not, meaning the last few LPs won't be able to withdraw.
Impact
Fund loss for LCG and insolvency for the pool, as share price increases, but assets do not.
Code Snippet
IEscrowVault(escrowVault).deposit(
lender,
address(bid.loanDetails.lendingToken),
paymentAmountReceived
);Tool used
Manual Review
Recommendation
Implement the withdraw function inside LCG, preferably callable by anyone.
The protocol team fixed this issue in the following PRs/commits:
teller-protocol/teller-protocol-v2-audit-2024#19
The Lead Senior Watson signed off on the fix.