Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

Latest commit

 

History

History
26 lines (19 loc) · 1.33 KB

101.md

File metadata and controls

26 lines (19 loc) · 1.33 KB
Raw

cccz

medium

If overdueBlocks or maxOverdueBlocks suddenly decrease, the user may be immediately written out of the debt

Summary

If overdueBlocks or maxOverdueBlocks suddenly decrease, the user may be immediately written out of the debt

Vulnerability Detail

If overdueBlocks or maxOverdueBlocks suddenly decrease, the user may be immediately written out of the debt

In the UserManager.debtWriteOff function, if block.number > lastRepay + overdueBlocks + maxOverdueBlocks, anyone can call UserManager.debtWriteOff to write off the debts of other users. overdueBlocks and maxOverdueBlocks can be set by the admin and if overdueBlocks or maxOverdueBlocks suddenly decrease, the user may be written off immediately

Impact

if overdueBlocks or maxOverdueBlocks suddenly decrease, the user may be written off immediately

Code Snippet

https://github.com/sherlock-audit/2022-10-union-finance/blob/main/union-v2-contracts/contracts/user/UserManager.sol#L352-L356 https://github.com/sherlock-audit/2022-10-union-finance/blob/main/union-v2-contracts/contracts/market/UToken.sol#L325-L327 https://github.com/sherlock-audit/2022-10-union-finance/blob/main/union-v2-contracts/contracts/user/UserManager.sol#L726-L740

Tool used

Manual Review

Recommendation

Consider caching the current overdueBlocks and maxOverdueBlocks in vouchers when debts are created