026.md

ravikiran.web3

medium

LenderCommitmentForwarder.updateCommitmentBorrowers()

Summary

The implementation of updateCommitmentBorrowers function could lead to corrupt storage. In the commitment, the structure is maintaining a list of borrowersList, which is essentially an EnumerableSetUpgradeable.AddressSet mapped to the commitment id.

The problem is in the delete call on commitmentBorrowersList. The delete call can cause the storage to be corrupted and become unusable.

Refer to the below documentation from OpenZeppelin, [refer line 31 to 31 in the link]

https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/blob/master/contracts/utils/structs/EnumerableSetUpgradeable.sol

Vulnerability Detail

The way the list of borrowers for the commitment is done can corrupt the data.

Impact

The list may become unreadable and conflict with the flow of the contract logic. The attempt to add element after deletion may fail.

Code Snippet

https://github.com/sherlock-audit/2023-03-teller/blob/main/teller-protocol-v2/packages/contracts/contracts/LenderCommitmentForwarder.sol#L240-L246

function updateCommitmentBorrowers( uint256 _commitmentId, address[] calldata _borrowerAddressList ) public commitmentLender(_commitmentId) { delete commitmentBorrowersList[_commitmentId]; _addBorrowersToCommitmentAllowlist(_commitmentId, _borrowerAddressList); }

Tool used

Manual Review Code review done manually.

Recommendation

Remove each element one by one using the remove function provided by the library. Or create a fresh instance of the array of EnumerableSet.