003.md

Scrawny Linen Snail

High

If repayLoanCallback address doesn't implement repayLoanCallback try/catch won't go into the catch and will revert the tx

Summary

If repaymentListenerForBid contract doesn't implement the repayLoanCallback, repaying of loan transaction will revert.

Root Cause

If a contract, which is set as loanRepaymentListener from a lender doesn't implement repayLoanCallback transaction will revert and catch block won't help.

This is serious and even crucial problem, because a malicous lender could prevent borrowers from repaying their loans, as repayLoanCallback is called inside _repayLoan . This way he guarantees himself their collateral tokens.

Converastion explaining why try/catch helps only if transaction is reverted in the target, contrac, which is not the case here

https://github.com/sherlock-audit/2024-11-teller-finance-update/blob/main/teller-protocol-v2-audit-2024/packages/contracts/contracts/TellerV2.sol#L828-L876

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

Lenders can stop borrowers from repaying their loans, forcing their loans to default and revert.

PoC

Let's have the following scenario:

1. Lender sets the repaymentListenerForBid[_bidId] to a contract which doesn't have repayLoanCallback function.
2. Borrower can't repay their debt.

Mitigation

This bug was found in the previous audit. Consider using the same fix as the previous time: teller-protocol/teller-protocol-v2-audit-2024#31