Platform: Code4rena
Start Date: 27/04/2022
Pot Size: $50,000 MIM
Total HM: 6
Participants: 59
Period: 5 days
Judge: 0xean
Id: 113
League: ETH
Rank: 13/59
Findings: 1
Award: $1,045.85
🌟 Selected for report: 0
🚀 Solo Findings: 0
https://github.com/code-423n4/2022-04-abranft/blob/5cd4edc3298c05748e952f8a8c93e42f930a78c2/contracts/NFTPairWithOracle.sol#L205-L210 https://github.com/code-423n4/2022-04-abranft/blob/5cd4edc3298c05748e952f8a8c93e42f930a78c2/contracts/NFTPairWithOracle.sol#L288
A lender can liquidate a borrower's collateral immediately by calling updateLoanParams() in the NFTPairWithOracle contract where the ltvBPS for the params struct is set to 0. This bypasses the checks to make sure that the terms are favourable to the borrower.
This allows the lender to then call removeCollateral and steal the collateral from the borrower as the "max" loan has now been to set to 0.
This means that a borrower can almost instantly lose their collateral when borrowing assets and therefore nullifying the primary service of the contract.
A POC script can be found here
Change params.ltvBPS <= cur.ltvBPS to params.ltvBPS >= cur.ltvBPS in here
#0 - cryptolyndon
2022-05-06T04:02:19Z
Duplicate of #51
#1 - cryptolyndon
2022-05-06T04:02:34Z
l