Platform: Code4rena
Start Date: 08/07/2021
Pot Size: $50,000 USDC
Total HM: 7
Participants: 13
Period: 7 days
Judge: ghoulsol
Total Solo HM: 5
Id: 18
League: ETH
Rank: 9/13
Findings: 1
Award: $916.34
🌟 Selected for report: 1
🚀 Solo Findings: 0
🌟 Selected for report: toastedsteaksandwich
916.341 USDC - $916.34
toastedsteaksandwich
The repayAll() and repayAllETH() functions allow any user to pay off debt of another user. Since all of the debt is going to be paid, no amount is specified, allowing the recipient of the repayment to frontrun the transaction to increase their debt. The risk of this issued was lowered as it depended on the user having enough tokens and allowance in the case of repayAll(), or having a msg.sender higher than the current debt in the case of repayAllEth().
The affected lines are the following:
https://github.com/code-423n4/2021-07-wildcredit/blob/main/contracts/LendingPair.sol#L147 https://github.com/code-423n4/2021-07-wildcredit/blob/main/contracts/LendingPair.sol#L156
The scenario for repayAll() is the following:
debtOf[_token][_account] now returns the higher amount and pays off Bob's new debt.The scenario for repayAllEth() is similar:
debtOf[address(WETH)][_account] now returns the higher amount and pays off Bob's new debt.This issue can be mitigated by enforcing a minimum time to hold debt - e.g. not allowed to repay debt for at least 6 blocks. Alternatively, the repay() function could be used to replace the 2 affected functions by passing in the _amount as the total debt (looked up off-chain and used in the dapp, for example) so that only up to a certain amount of debt is paid. This also means the repay() function would need to be made payable, and that the msg.value is validated to equal the _amount parameter.