Skip to content
This repository has been archived by the owner on Aug 18, 2024. It is now read-only.

0x52 - LendingPool#flashAction is broken when trying to refinance position across LendingPools due to improper access control #145

Open
sherlock-admin2 opened this issue Feb 16, 2024 · 5 comments
Open

0x52 - LendingPool#flashAction is broken when trying to refinance position across LendingPools due to improper access control #145

sherlock-admin2 opened this issue Feb 16, 2024 · 5 comments
Labels
Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin2
Copy link

sherlock-admin2 commented Feb 16, 2024
edited by sherlock-admin
Loading

0x52

medium

LendingPool#flashAction is broken when trying to refinance position across LendingPools due to improper access control

Summary

When refinancing an account, LendingPool#flashAction is used to facilitate the transfer. However due to access restrictions on updateActionTimestampByCreditor, the call made from the new creditor will revert, blocking any account transfers. This completely breaks refinancing across lenders which is a core functionality of the protocol.

Vulnerability Detail

LendingPool.sol#L564-L579

IAccount(account).updateActionTimestampByCreditor();

asset.safeTransfer(actionTarget, amountBorrowed);

{
    uint256 accountVersion = IAccount(account).flashActionByCreditor(actionTarget, actionData);
    if (!isValidVersion[accountVersion]) revert LendingPoolErrors.InvalidVersion();
}

We see above that account#updateActionTimestampByCreditor is called before flashActionByCreditor.

AccountV1.sol#L671

function updateActionTimestampByCreditor() external onlyCreditor updateActionTimestamp { }

When we look at this function, it can only be called by the current creditor. When refinancing a position, this function is actually called by the pending creditor since the flashaction should originate from there. This will cause the call to revert, making it impossible to refinance across lendingPools.

Impact

Refinancing is impossible

Code Snippet

LendingPool.sol#L529-L586

Tool used

Manual Review

Recommendation

Account#updateActionTimestampByCreditor() should be callable by BOTH the current and pending creditor
@github-actions github-actions bot added the Medium A valid Medium severity issue label Feb 21, 2024
@sherlock-admin2
Copy link
Author

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid

@sherlock-admin
Copy link
Contributor

The protocol team fixed this issue in PR/commit arcadia-finance/lending-v2#133.

@sherlock-admin2 sherlock-admin2 added Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Feb 25, 2024
@Thomas-Smets
Copy link

Fix consists out of two PR's:

@sherlock-admin sherlock-admin changed the title Bumpy Concrete Mouse - LendingPool#flashAction is broken when trying to refinance position across LendingPools due to improper access control 0x52 - LendingPool#flashAction is broken when trying to refinance position across LendingPools due to improper access control Feb 28, 2024
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Feb 28, 2024
@IAm0x52
Copy link
Collaborator

IAm0x52 commented Mar 13, 2024

Fix looks good. Removes the updateActionTimestampByCreditor call and instead uses a callback to enforce nonreentrant and prevent ERC777s from reentering

@sherlock-admin4
Copy link

The Lead Senior Watson signed off on the fix.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Thomas-Smets @sherlock-admin @IAm0x52 @sherlock-admin2 @sherlock-admin4