J4de
high
LenderCommitmentForwarder.sol#updateCommitment function can change the lender to someone else
File: LenderCommitmentForwarder.sol
210 function updateCommitment(
211 uint256 _commitmentId,
212 Commitment calldata _commitment
213 ) public commitmentLender(_commitmentId) {
214 require(
215 _commitment.principalTokenAddress ==
216 commitments[_commitmentId].principalTokenAddress,
217 "Principal token address cannot be updated."
218 );
219 require(
220 _commitment.marketId == commitments[_commitmentId].marketId,
221 "Market Id cannot be updated."
222 );
223
224 commitments[_commitmentId] = _commitment;
225
226 //make sure the commitment data still adheres to required specifications and limits
227 validateCommitment(commitments[_commitmentId]);
228
229 emit UpdatedCommitment(
230 _commitmentId,
231 _commitment.lender,
232 _commitment.marketId,
233 _commitment.principalTokenAddress,
234 _commitment.maxPrincipal
235 );
236 }The lender can call updateCommitment to update the status of the commitment that has been released. The problem here is that the lender can modify the lender of the commitment to any other person through this function.
The attack method is as follows:
- Alice issued a commitment worth 100 USD, and she usually approves a token worth 100 USD to the
LenderCommitmentForwardercontract - Bob also issues a commitment worth 100 USD without any collateral (bob also can choose any commitment that has been released in the
updateCommitmentcontract) - Bob calls
updateCommitmentfunction to change the commitment's lender to Alias - Bob accept this commitment as a borrower
- Bob does not need to pay back the money at all, because the loan has not collateral by any
Attackers can steal lenders' funds.
Manual Review
It is recommended that updateCommitment function cannot modify the commitment's lender