0xLogos - LenderCommitmentGroup_Smart can be tricked to account for not owned loans payments
Closed this issue · 0 comments
sherlock-admin2 commented
0xLogos
high
LenderCommitmentGroup_Smart can be tricked to account for not owned loans payments
Summary
Any lender can set LenderCommitmentGroup_Smart
as callback receiver in setRepaymentListenerForBid
and break its internal accounting.
Vulnerability Detail
In _repayLoan
, callback is made to user controlled listener.
address loanRepaymentListener = repaymentListenerForBid[_bidId]; // set by lender
if (loanRepaymentListener != address(0)) {
try
ILoanRepaymentListener(loanRepaymentListener).repayLoanCallback{
gas: 80000
}(
_bidId,
_msgSenderForMarket(bid.marketplaceId),
_payment.principal,
_payment.interest
)
{} catch {}
}
LenderCommitmentGroup_Smart
use this callback for internal accounting, but can be tricked to account for not owned loans.
function repayLoanCallback(
uint256 _bidId,
address repayer,
uint256 principalAmount,
uint256 interestAmount
) external onlyTellerV2 {
totalPrincipalTokensRepaid += principalAmount;
totalInterestCollected += interestAmount;
}
Impact
LenderCommitmentGroup_Smart
internal accounting for totalPrincipalTokensRepaid
and totalInterestCollected
is broken which can cause underflow in getTotalPrincipalTokensOutstandingInActiveLoans()
and inflate getPoolTotalEstimatedValue()
Code Snippet
Tool used
Manual Review
Recommendation
Do not allow setting LenderCommitmentGroup_Smart
as listener
Duplicate of #42