Skip to content

Latest commit

 

History

History
52 lines (35 loc) · 1.46 KB

023.md

File metadata and controls

52 lines (35 loc) · 1.46 KB

J4de

high

LenderManager.sol contract should confirm the state of the loan when transferring

Summary

LenderManager.sol contract should confirm the state of the bid when transferring

Vulnerability Detail

File: TellerV2.sol
1037     function getLoanLender(uint256 _bidId)
1038         public
1039         view
1040         returns (address lender_)
1041     {
1042         lender_ = bids[_bidId].lender;
1043
1044         if (lender_ == address(lenderManager)) {
1045 >>          return lenderManager.ownerOf(_bidId);
1046         }
1047     }

When the loan is mint out of an NFT, the owner of the NFT is considered to be the LoanLender, so the debt can be freely traded in the secondary market.

Now we have the following attack scenarios:

  1. Alias constructs a load in which both the borrower and the lender are themselves. This loan is worth 100 USD.
  2. Alias sells this loan as NFT for 80 USD
  3. Bob thinks it is profitable and is ready to buy this NFT
  4. Alias pays off debt before trading NFT
  5. Alias gets 80 USD while Bob gets a useless NFT

Impact

can be used to deceive others

Code Snippet

https://github.com/teller-protocol/teller-protocol-v2/blob/cb66c9e348cdf1fd6d9b0416a49d663f5b6a693c/packages/contracts/contracts/LenderManager.sol#L1

Tool used

Manual Review

Recommendation

It is recommended that LenderManager.sol rewrite the transaction function and check the loan status corresponding to the NFT before the transaction.