arman - Contract dev forgot to deploy a proxy before creating a borrow order.

[sherlock-admin2]

arman

Medium

Contract dev forgot to deploy a proxy before creating a borrow order.

Summary

DBOImplementation contract is Initializable and has a one time executableinitialize function instead of a constructor. DBOFactory has an unused implementationContract state variable which is expected to be used with proxy. But the DBOFactory.createBorrowOrder() function does not deploy a proxy when creating a new borrow order.

Root Cause

The DBOFactory.createBorrowOrder() function is as follows:

    function createBorrowOrder(
        bool[] memory _oraclesActivated,
        uint[] memory _LTVs,
        uint _maxInterestRate,
        uint _duration,
        address[] memory _acceptedPrinciples,
        address _collateral,
        bool _isNFT,
        uint _receiptID,
        address[] memory _oracleIDS_Principles,
        uint[] memory _ratio,
        address _oracleID_Collateral,
        uint _collateralAmount
    ) external returns (address) {
        if (_isNFT) {
            require(_receiptID != 0, "Receipt ID cannot be 0");
            require(_collateralAmount == 1, "Started Borrow Amount must be 1");
        }

        require(_LTVs.length == _acceptedPrinciples.length, "Invalid LTVs");
        require(
            _oracleIDS_Principles.length == _acceptedPrinciples.length,
            "Invalid length"
        );
        require(
            _oraclesActivated.length == _acceptedPrinciples.length,
            "Invalid oracles"
        );
        require(_ratio.length == _acceptedPrinciples.length, "Invalid ratio");
        require(_collateralAmount > 0, "Invalid started amount");

        DBOImplementation borrowOffer = new DBOImplementation();

        borrowOffer.initialize(
            aggregatorContract,
            msg.sender,
            _acceptedPrinciples,
            _collateral,
            _oraclesActivated,
            _isNFT,
            _LTVs,
            _maxInterestRate,
            _duration,
            _receiptID,
            _oracleIDS_Principles,
            _ratio,
            _oracleID_Collateral,
            _collateralAmount
        );
        isBorrowOrderLegit[address(borrowOffer)] = true;
        if (_isNFT) {
            IERC721(_collateral).transferFrom(
                msg.sender,
                address(borrowOffer),
                _receiptID
            );
        } else {
            SafeERC20.safeTransferFrom(
                IERC20(_collateral),
                msg.sender,
                address(borrowOffer),
                _collateralAmount
            );
        }
        borrowOrderIndex[address(borrowOffer)] = activeOrdersCount;
        allActiveBorrowOrders[activeOrdersCount] = address(borrowOffer);
        activeOrdersCount++;

        uint balance = IERC20(_collateral).balanceOf(address(borrowOffer));
        require(balance >= _collateralAmount, "Invalid balance");

        emit BorrowOrderCreated(
            address(borrowOffer),
            msg.sender,
            _maxInterestRate,
            _duration,
            _LTVs,
            _ratio,
            _collateralAmount,
            true
        );
        return address(borrowOffer);
    }

It does not deploy a proxy when creating a new borrow order.

Internal pre-conditions

N/A

External pre-conditions

N/A

Attack Path

N/A

Impact

Instead of deploying a proxy an instance of DBOImplementation will be created everytime someone creates an borrow order.

PoC

No response

Mitigation

Replace

        DBOImplementation borrowOffer = new DBOImplementation();

with

        DebitaProxyContract borrowOfferProxy = new DebitaProxyContract(
            implementationContract
        );
        DBOImplementation borrowOffer = DBOImplementation(
            address(borrowOfferProxy)
        );

Inside the DBOFactory.createBorrowOrder() function.