0x73696d616f - Incorrect selector in `FlashRolloverLoan_G5::_acceptCommitment()` does not match `SmartCommitmentForwarder::acceptCommitmentWithRecipient()`

Question

0x73696d616f - Incorrect selector in `FlashRolloverLoan_G5::_acceptCommitment()` does not match `SmartCommitmentForwarder::acceptCommitmentWithRecipient()`

Opened this issue 2 months ago · 2 comments

0x73696d616f

medium

Incorrect selector in `FlashRolloverLoan_G5::_acceptCommitment()` does not match `SmartCommitmentForwarder::acceptCommitmentWithRecipient()`

Summary

FlashRolloverLoan_G5::_acceptCommitment() allows picking the SmartCommitmentForwarder, but the selector is incorrect, making it unusable for LenderCommitmentGroup_Smart.

Vulnerability Detail

FlashRolloverLoan_G5::_acceptCommitment() accepts the commitment to SmartCommitmentForwarder if _commitmentArgs.smartCommitmentAddress != address(0). However, the selector used is acceptSmartCommitmentWithRecipient(), which does not match SmartCommitmentForwarder::acceptCommitmentWithRecipient(), DoSing the ability to rollover loans for LenderCommitmentGroup_Smart.

Impact

FlashRolloverLoan_G5 will not work for LenderCommitmentGroup_Smart loans.

Code Snippet

FlashRolloverLoan_G5::_acceptCommitment()

function _acceptCommitment(
    address lenderCommitmentForwarder,
    address borrower,
    address principalToken,
    AcceptCommitmentArgs memory _commitmentArgs
)
    internal
    virtual
    returns (uint256 bidId_, uint256 acceptCommitmentAmount_)
{
    uint256 fundsBeforeAcceptCommitment = IERC20Upgradeable(principalToken)
        .balanceOf(address(this));



    if (_commitmentArgs.smartCommitmentAddress != address(0)) {

            bytes memory responseData = address(lenderCommitmentForwarder)
                .functionCall(
                    abi.encodePacked(
                        abi.encodeWithSelector(
                            ISmartCommitmentForwarder
                                .acceptSmartCommitmentWithRecipient
                                .selector,
                            _commitmentArgs.smartCommitmentAddress,
                            _commitmentArgs.principalAmount,
                            _commitmentArgs.collateralAmount,
                            _commitmentArgs.collateralTokenId,
                            _commitmentArgs.collateralTokenAddress,
                            address(this),
                            _commitmentArgs.interestRate,
                            _commitmentArgs.loanDuration
                        ),
                        borrower //cant be msg.sender because of the flash flow
                    )
                );

            (bidId_) = abi.decode(responseData, (uint256));
        ...

Tool used

Manual Review

Vscode

Recommendation

Insert the correct selector, SmartCommitmentForwarder::acceptCommitmentWithRecipient().

Answer 1 · 2024-05-07T18:15:14.000Z

The protocol team fixed this issue in the following PRs/commits:
teller-protocol/teller-protocol-v2-audit-2024#33

Answer 2 · 2024-06-12T11:06:16.000Z

The Lead Senior Watson signed off on the fix.

Incorrect selector in FlashRolloverLoan_G5::_acceptCommitment() does not match SmartCommitmentForwarder::acceptCommitmentWithRecipient()