0xPsuedoPandit
high
In TellerV2.sol contract there is a function repayLoan (Sighash 8a700b53 ) which makes an internal call to _repayLoan and by circumventing through certain checks the borrower can take his collateral back without making a valid payment.
repayLoan (SigHash 8a700b53) takes in two parameters, _bidId The id of the loan to make the payment towards, and _amount The amount of the payment. https://github.com/sherlock-audit/2023-03-teller/blob/main/teller-protocol-v2/packages/contracts/contracts/TellerV2.sol#L629-L655
The borrower can write any arbitrary amount in _amount field, let's say he has entered the value of _amount equal to or greater than owed principal, this amount will be passed down to _repayLoan's payment struct https://github.com/sherlock-audit/2023-03-teller/blob/main/teller-protocol-v2/packages/contracts/contracts/TellerV2.sol#L651
Now inside _repayLoan function the paymentAmount is calculated by " uint256 paymentAmount = _payment.principal + _payment.interest;" this equation, using the values that we have provided, now the borrower can bypass the last check "if (paymentAmount >= _owedAmount) " at line 727 and can get his collateral back unfairly. Note that we have not paid the due amount to the lender yet.
This vulnerability can cause direct fund loss to the lender.
none Manual Review
Pay the lender in the first place and put more access control to prevent this issue.