Scrawny Linen Snail
Medium
In the current implementation of the MarketRegistry contract, any actor can revoke a lender or borrower for markets that require lender or borrower attestation.
The contract defines two versions of the revokeLender function:
-
Function
revokeLender(uint256 _marketId, address _lenderAddress, uint8 _v, bytes32 _r, bytes32 _s)
This function internally calls_revokeStakeholderViaDelegationbut does not verify the signature (v, r, s) against the market owner, nor does it enforce any other ownership or permission checks. This omission allows unauthorized users to revoke stakeholders.Example code from
_revokeStakeholderViaDelegation:function _revokeStakeholderViaDelegation( uint256 _marketId, address _stakeholderAddress, bool _isLender, uint8 _v, bytes32 _r, bytes32 _s ) internal { bytes32 uuid = _revokeStakeholderVerification( _marketId, _stakeholderAddress, _isLender ); // Note: Call to revoke attestation on EAS contracts is disabled. }
-
Function
revokeLender(uint256 _marketId, address _lenderAddress)
This version includes a check to ensure the caller is the market owner.
The discrepancy between these two versions creates an exploitable vulnerability.
No response
No response
No response
Unauthorized revocation of lenders or borrowers can disrupt the proper functioning of markets that rely on stakeholder attestations. This could lead to:
- Denial of service for legitimate lenders and borrowers.
- Loss of trust in the platform.
- Potential financial losses for affected parties.
This vulnerability can be exploited by crafting a transaction to call revokeLender or revokeBorrower with arbitrary v, r, s values.
revokeLender(marketId, victimAddress, randomV, randomR, randomS);This call bypasses ownership and attestation verification, removing the specified lender.
Add Verification : Update the revokeLender and revokeBorrower functions that accept v, r, s to enforce attestation verification against the market owner's signature