Platform: Code4rena
Start Date: 08/04/2021
Pot Size: $100,000 USDC
Total HM: 3
Participants: 10
Period: 14 days
Judge: Nick Johnson
Total Solo HM: 3
Id: 4
League: ETH
Rank: 2/10
Findings: 2
Award: $22,270.74
🌟 Selected for report: 2
🚀 Solo Findings: 1
🌟 Selected for report: shw
11135.3712 USDC - $11,135.37
shw
** Editing on a previous submission to clarify more details **
In Pool.sol, the lockup restriction of withdrawal (Pool.sol#396) can be bypassed or reduced if new liquidity providers cooperate with existing ones.
lockupPeriod days and calls intendToWithdraw to pass her withdrawal window. Now she is available to receive FDTs from others._transfer function.intendToWithdraw and waits for the withdrawCooldown period. Notice that Alice's depositDate is updated after the transfer; however, since it is calculated using a weighted timestamp, the increased amount of lockup time should be less than lockupPeriod. In situations where the deposit from Alice is much larger than that from Bob, Alice could only even need to wait for the withdrawCooldown period before she could withdraw any funds.None
Force users to wait for the lockup period when transferring FDT to others. Or let the depositDate variable record the timestamp of the last operation instead of a weighted timestamp.
#0 - lucas-manuel
2021-04-27T19:47:14Z
Addressed in this PR https://github.com/maple-labs/maple-core/pull/378
🌟 Selected for report: shw
11135.3712 USDC - $11,135.37
shw
Since the calculation of makeFullPayment (Loan.sol#249) does not consider whether the payment is late or not, the borrower can avoid paying late fees by only calling makeFullPayment instead of makePayment (Loan.sol#238). The borrower has no incentive to repay the loan in time and could
The full payment is calculated by PremiumCalc, which ignores whether the payment is late or not. A configured premium fee calculates the interest; however, it is a fixed value through time. The interest that a borrower should pay for borrowing the loan for any amount of time (e.g., a month or a year) is the same.
None
Calculate late fees in PremiumCalc as in RepaymentCalc to let the borrower pay late fees based on the apr of loan.
#0 - Arachnid
2021-04-27T03:58:10Z
Another way to look at this is that the borrower gets gracePeriod extra days of borrowing for free - just by deferring their final payment. Agree with Medium.
#1 - lucas-manuel
2021-04-27T20:16:48Z
If they deferred their final payment and did makeFullPayment instead of makePayment they would pay premiumFee on their principal, which is set to be a larger amount than a given payment plus late fee, so they would be losing money in this case.
#2 - Arachnid
2021-04-27T23:05:52Z
Based on my understanding of the code:
Relevant configurable parameters are the payment interval (payment_interval), grace period before foreclosure (grace_period), interest payment size (interest_payment), late payment fee as a percentage of interest payment size (late_fee), and premium fee (premium_fee).
If payment_interval * 2 < grace_period, it's possible to be late multiple payments - in which case you pay multiple late fees.
Without charging late payment fees on a full repayment, there are two scenarios in which the borrower can end up better off:
(payment_interval / grace_period) * late_fee > premium_fee, once the borrower is late some number of payment_intervals, they pay less by doing a full repayment with the premium fee than by paying off the normal way.(payment_interval / grace_period) * interest_payment > premium_fee, they can treat the grace period as an extra loan period, and pay no more than they would have in interest (possibly less, depending on the parameters).Since both of these are only possible with certain parameter values, I'm downgrading this to Low. This could be remedied by either putting range checks for these parameter values in loan initialisation, or by calculating 'missed interest' and late fees in makeFullPayment and taking the minimum of that and the premium fee.
#3 - lucas-manuel
2021-04-27T23:25:40Z
We're going to leave as is and just ensure that Pool Delegates are educated around Loan terms and what they entail before funding them.
#4 - lucas-manuel
2021-04-28T17:11:40Z
@Arachnid we have addressed this issue