Skip to content

Latest commit

 

History

History
75 lines (49 loc) · 3.21 KB

020.md

File metadata and controls

75 lines (49 loc) · 3.21 KB
Raw

Kind Aqua Ostrich

High

Improper proposal validation will let invalid or malicious proposals being matched in PredictDotLoan.sol

Summary

Improper proposal validation will let invalid or malicious proposals being matched in PredictDotLoan.sol

Root Cause

Improper proposal validation occurs when the smart contract fails to robustly verify the properties and conditions of the Proposal structure before processing it. This can lead to invalid or malicious proposals being matched, allowing attackers to exploit the system. https://github.com/sherlock-audit/2024-09-predict-fun/blob/main/predict-dot-loan/contracts/PredictDotLoan.sol#L320-L449

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

Invalid proposals that pass through the validation checks can lead to granting loans that are not backed by collateral. This could result in significant financial losses for the protocol and its users, as the loans may not be repayable. Attackers can leverage this vulnerability to create and match proposals that exploit the contract's logic, potentially draining funds from the protocol or engaging in other malicious activities. If users become aware that the protocol allows invalid or malicious proposals to be matched, it can lead to a loss of trust in the system. Users may hesitate to participate, fearing financial loss or exploitation.

PoC

// Assume this is the original function
function matchProposals(Proposal calldata borrowRequest, Proposal calldata loanOffer) external {
    // The actual validation logic is omitted for brevity
    // _assertProposalIsBorrowRequest(borrowRequest);
    // _assertProposalIsLoanOffer(loanOffer);
    
    // Example of a poorly validated proposal
    if (borrowRequest.collateralAmount == 0) {
        // No check for collateral, can proceed
    }
    
    // Assume more checks are omitted...
}

// Malicious Proposal Creation
function createMaliciousProposal() external {
    Proposal memory maliciousProposal;
    maliciousProposal.from = address(0); // Invalid address (zero address)
    maliciousProposal.loanAmount = 1000 ether; // Unreasonable loan amount
    maliciousProposal.collateralAmount = 0 ether; // No collateral
    maliciousProposal.interestRatePerSecond = 0; // Invalid interest rate
    maliciousProposal.duration = 3600; // 1 hour
    maliciousProposal.validUntil = block.timestamp + 3600; // Valid for 1 hour
    maliciousProposal.signature = ""; // Missing signature
    
    // Attempt to match with a valid loan offer
    matchProposals(maliciousProposal, validLoanOffer);
}

Mitigation

  1. Ensure that all properties of the Proposal structure are thoroughly validated before proceeding with matching. This includes checking for valid addresses, ensuring collateral amounts are non-zero, validating interest rates, and ensuring that all required fields are present.
  2. Implement strict reversion logic that ensures any proposal that fails validation criteria does not proceed further in the function execution.
  3. Provide clear feedback to users on why their proposals may have been rejected due to improper validation, thus improving overall user experience and trust in the system.