0x73696d616f - Incorrect selector in `FlashRolloverLoan_G5::_acceptCommitment()` does not match `SmartCommitmentForwarder::acceptCommitmentWithRecipient()`
Opened this issue · 2 comments
0x73696d616f
medium
Incorrect selector in FlashRolloverLoan_G5::_acceptCommitment()
does not match SmartCommitmentForwarder::acceptCommitmentWithRecipient()
Summary
FlashRolloverLoan_G5::_acceptCommitment()
allows picking the SmartCommitmentForwarder
, but the selector is incorrect, making it unusable for LenderCommitmentGroup_Smart
.
Vulnerability Detail
FlashRolloverLoan_G5::_acceptCommitment()
accepts the commitment to SmartCommitmentForwarder
if _commitmentArgs.smartCommitmentAddress != address(0)
. However, the selector used is acceptSmartCommitmentWithRecipient()
, which does not match SmartCommitmentForwarder::acceptCommitmentWithRecipient()
, DoSing the ability to rollover loans for LenderCommitmentGroup_Smart
.
Impact
FlashRolloverLoan_G5
will not work for LenderCommitmentGroup_Smart
loans.
Code Snippet
FlashRolloverLoan_G5::_acceptCommitment()
function _acceptCommitment(
address lenderCommitmentForwarder,
address borrower,
address principalToken,
AcceptCommitmentArgs memory _commitmentArgs
)
internal
virtual
returns (uint256 bidId_, uint256 acceptCommitmentAmount_)
{
uint256 fundsBeforeAcceptCommitment = IERC20Upgradeable(principalToken)
.balanceOf(address(this));
if (_commitmentArgs.smartCommitmentAddress != address(0)) {
bytes memory responseData = address(lenderCommitmentForwarder)
.functionCall(
abi.encodePacked(
abi.encodeWithSelector(
ISmartCommitmentForwarder
.acceptSmartCommitmentWithRecipient
.selector,
_commitmentArgs.smartCommitmentAddress,
_commitmentArgs.principalAmount,
_commitmentArgs.collateralAmount,
_commitmentArgs.collateralTokenId,
_commitmentArgs.collateralTokenAddress,
address(this),
_commitmentArgs.interestRate,
_commitmentArgs.loanDuration
),
borrower //cant be msg.sender because of the flash flow
)
);
(bidId_) = abi.decode(responseData, (uint256));
...
Tool used
Manual Review
Vscode
Recommendation
Insert the correct selector, SmartCommitmentForwarder::acceptCommitmentWithRecipient()
.
The protocol team fixed this issue in the following PRs/commits:
teller-protocol/teller-protocol-v2-audit-2024#33
The Lead Senior Watson signed off on the fix.