Kind Aqua Ostrich
High
Improper proposal validation will let invalid or malicious proposals being matched in PredictDotLoan.sol
Improper proposal validation will let invalid or malicious proposals being matched in PredictDotLoan.sol
Improper proposal validation occurs when the smart contract fails to robustly verify the properties and conditions of the Proposal
structure before processing it. This can lead to invalid or malicious proposals being matched, allowing attackers to exploit the system.
https://github.com/sherlock-audit/2024-09-predict-fun/blob/main/predict-dot-loan/contracts/PredictDotLoan.sol#L320-L449
No response
No response
No response
Invalid proposals that pass through the validation checks can lead to granting loans that are not backed by collateral. This could result in significant financial losses for the protocol and its users, as the loans may not be repayable. Attackers can leverage this vulnerability to create and match proposals that exploit the contract's logic, potentially draining funds from the protocol or engaging in other malicious activities. If users become aware that the protocol allows invalid or malicious proposals to be matched, it can lead to a loss of trust in the system. Users may hesitate to participate, fearing financial loss or exploitation.
// Assume this is the original function
function matchProposals(Proposal calldata borrowRequest, Proposal calldata loanOffer) external {
// The actual validation logic is omitted for brevity
// _assertProposalIsBorrowRequest(borrowRequest);
// _assertProposalIsLoanOffer(loanOffer);
// Example of a poorly validated proposal
if (borrowRequest.collateralAmount == 0) {
// No check for collateral, can proceed
}
// Assume more checks are omitted...
}
// Malicious Proposal Creation
function createMaliciousProposal() external {
Proposal memory maliciousProposal;
maliciousProposal.from = address(0); // Invalid address (zero address)
maliciousProposal.loanAmount = 1000 ether; // Unreasonable loan amount
maliciousProposal.collateralAmount = 0 ether; // No collateral
maliciousProposal.interestRatePerSecond = 0; // Invalid interest rate
maliciousProposal.duration = 3600; // 1 hour
maliciousProposal.validUntil = block.timestamp + 3600; // Valid for 1 hour
maliciousProposal.signature = ""; // Missing signature
// Attempt to match with a valid loan offer
matchProposals(maliciousProposal, validLoanOffer);
}
- Ensure that all properties of the
Proposal
structure are thoroughly validated before proceeding with matching. This includes checking for valid addresses, ensuring collateral amounts are non-zero, validating interest rates, and ensuring that all required fields are present. - Implement strict reversion logic that ensures any proposal that fails validation criteria does not proceed further in the function execution.
- Provide clear feedback to users on why their proposals may have been rejected due to improper validation, thus improving overall user experience and trust in the system.