Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-03-SUBLIME-FINDINGS-ISSUES-58
HistoryMar 31, 2022 - 12:00 a.m.

[WP-H9] LenderPool.sol#start() startFeeFraction can be used by a malicious/compromised owner to rug lenders

2022-03-3100:00:00
Code4rena
github.com
6
JSON

Lines of code

Vulnerability details

A configurable startFeeFraction with no upper bound can be claimed by the caller to a specified address.

The fee is not based on the gas cost, but on the _totalLent of the pool.

We believe this startFee reward is unnecessary and it creates a potential rug vector.

PoC

Given:

  • A pool with _maxLent of 10M USDC;
  • The pool’s _startTime is about to come;
  • The pool’s _totalLent is 5M USDC.

A malicious/compromised owner can first set the startFeeFraction to 0 and wait until the _startTime then do the following steps in one tx:

  1. Set startFeeFraction to 95%;
  2. Call start() and set to as the attacker’s address;

As a result, 4.9M USDC will be stolen by the attacker.

Recommendation

  1. Consider removing the startFee rewards. The borrower should be the one who calls start() or the protocol can set up a keeper to call start().
  2. Or, at least add a reasonable upper bound when setting a new value for startFee, eg, 10 BPS or so.

The text was updated successfully, but these errors were encountered:

All reactions

JSON