Platform: Code4rena
Start Date: 05/04/2022
Pot Size: $30,000 USDC
Total HM: 10
Participants: 47
Period: 3 days
Judge: gzeon
Total Solo HM: 4
Id: 106
League: ETH
Rank: 27/47
Findings: 1
Award: $102.04
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0v3rf10w, 0x1f8b, 0xDjango, 0xkatana, BouSalman, CertoraInc, Dravee, FSchmoede, Hawkeye, Kenshin, Meta0xNull, PPrieditis, Ruhum, TerrierLover, VAD37, WatchPug, berndartmueller, csanuragjain, hake, horsefacts, hubble, m9800, rayn, reassor, robee, samruna, securerodd, shenwilly, sorrynotsorry, t11s, teryanarmen, tintin, z3s
102.041 USDC - $102.04
Low
Protocol takes origination fee rate on every lend that starts with 1% and can be updated at any time to maximum 5%. The fee is taken from the money sent by the lender to the borrower. The issue with this design is the floating origination fee. Borrower creates a loan and agrees with 1% lend origination fee, but that can be changed by the owner at any time, so at the time of receiving the loan, origination fee might be updated to 5% and borrower is charged the fee he did not agree to.
Attack scenario:
originationFeeRate is 1%nfTLoanFacilitator contract increases originationFeeRate to 5% through updateOriginationFeeRate function (or performs frontrun with this transaction)lend function and 5% of the transferred amount is charged as origination fee5% instead of 1% he agreed toManual Review / VSCode
It is recommended to add originationFeeRate to loan created by borrower, so the user is charged exactly the origination fee he agreed to.
Low
Multiple functions NFTLoanFacilitator.sol contract does not check for zero addresses which might lead to lost funds, failed transactions and can break the protocol functionality.
NFTLoanFacilitator.sol
collateralContractAddress address - https://github.com/code-423n4/2022-04-backed/blob/e8015d7c4b295af131f017e646ba1b99c8f608f0/contracts/NFTLoanFacilitator.sol#L70loanAssetContractAddress address - https://github.com/code-423n4/2022-04-backed/blob/e8015d7c4b295af131f017e646ba1b99c8f608f0/contracts/NFTLoanFacilitator.sol#L73mintBorrowTicketTo address - https://github.com/code-423n4/2022-04-backed/blob/e8015d7c4b295af131f017e646ba1b99c8f608f0/contracts/NFTLoanFacilitator.sol#L75sendCollateralTo address - https://github.com/code-423n4/2022-04-backed/blob/e8015d7c4b295af131f017e646ba1b99c8f608f0/contracts/NFTLoanFacilitator.sol#L116sendLendTicketTo address - https://github.com/code-423n4/2022-04-backed/blob/e8015d7c4b295af131f017e646ba1b99c8f608f0/contracts/NFTLoanFacilitator.sol#L134sendCollateralTo address - https://github.com/code-423n4/2022-04-backed/blob/e8015d7c4b295af131f017e646ba1b99c8f608f0/contracts/NFTLoanFacilitator.sol#L253_contract address - https://github.com/code-423n4/2022-04-backed/blob/e8015d7c4b295af131f017e646ba1b99c8f608f0/contracts/NFTLoanFacilitator.sol#L279_contract address - https://github.com/code-423n4/2022-04-backed/blob/e8015d7c4b295af131f017e646ba1b99c8f608f0/contracts/NFTLoanFacilitator.sol#L289to address - https://github.com/code-423n4/2022-04-backed/blob/e8015d7c4b295af131f017e646ba1b99c8f608f0/contracts/NFTLoanFacilitator.sol#L296Manual Review / VSCode
It is recommended at the minimum to add zero address checks for all listed setter functions. In addition adding checks for functions that are using user's supplied addresses could prevent some unexpected behavior of the contracts.
Low
Changing critical addresses such as ownership of HolyPaladinTokens.sol and PaladinRewardReserver.sol contracts should be a two-step process where the first transaction (from the old/current address) registers the new address (i.e. grants ownership) and the second transaction (from the new address) replaces the old address with the new one. This gives an opportunity to recover from incorrect addresses mistakenly used in the first step. If not, contract functionality might become inaccessible.
Manual Review / VSCode
It is recommended to implement two-step process for passing ownership for NFTLoanFacilitator.sol.
Non-Critical
Deploying and setting NFTLoanFacilitator.sol contract into proper/functional state requires multiple transactions:
There is time frame where the value of lendTicketContract or borrowTicketContract is set to 0 which might expose contract to some attacks and undefined behavior.
Manual Review / VSCode
It is recommended to consider deploying contracts as a single transaction, for example by using factory contract.