Bubbly Inky Sawfish - The totalPrincipalTokensRepaid and totalInterestCollected may not be updated even when funds are already transferred

[sherlock-admin4]

Bubbly Inky Sawfish

Medium

The totalPrincipalTokensRepaid and totalInterestCollected may not be updated even when funds are already transferred

Summary

The LenderCommitmentGroup_Smart.repayLoanCallback() function will be paused, causing the transaction to continue despite the revert. As a result, while the funds are transferred, the amounts will not be added to totalPrincipalTokensRepaid and totalInterestCollected. This discrepancy will lead to an incorrect calculation of the exchange rate, potentially resulting in a loss of funds for shareholders.

Root Cause

The LenderCommitmentGroup_Smart.repayLoanCallback() function will revert due to being paused.
https://github.com/sherlock-audit/2024-11-teller-finance-update/blob/main/teller-protocol-v2-audit-2024/packages/contracts/contracts/LenderCommitmentForwarder/extensions/LenderCommitmentGroup/LenderCommitmentGroup_Smart.sol#L928-L945

    function repayLoanCallback(
        uint256 _bidId,
        address repayer,
        uint256 principalAmount,
        uint256 interestAmount
@>  ) external onlyTellerV2 whenForwarderNotPaused whenNotPaused bidIsActiveForGroup(_bidId) { 
        totalPrincipalTokensRepaid += principalAmount;
        totalInterestCollected += interestAmount;

         emit LoanRepaid(
            _bidId,
            repayer,
            principalAmount,
            interestAmount,
            totalPrincipalTokensRepaid,
            totalInterestCollected
        );
    }

However, the whole transaction will not be reverted because of the try/catch statement.
https://github.com/sherlock-audit/2024-11-teller-finance-update/blob/main/teller-protocol-v2-audit-2024/packages/contracts/contracts/TellerV2.sol#L938-950

        if (loanRepaymentListener != address(0)) {
            require(gasleft() >= 80000, "NR gas");  //fixes the 63/64 remaining issue
@>          try
                ILoanRepaymentListener(loanRepaymentListener).repayLoanCallback{
                    gas: 80000
                }( //limit gas costs to prevent lender preventing repayments
                    _bidId,
                    _msgSenderForMarket(bid.marketplaceId),
                    _payment.principal,
                    _payment.interest
                )
@>          {} catch {}
        }

Borrowers can repay their loans even during a pause. This means that while the funds are transferred, the amounts will not be added to totalPrincipalTokensRepaid and totalInterestCollected. Consequently, the exchange rate will be calculated incorrectly, which could result in a loss of funds for shareholders.

Internal pre-conditions

none

External pre-conditions

none

Attack Path

none

Impact

Loss of fund to shareholders.

PoC

none

Mitigation

The LenderCommitmentGroup_Smart.repayLoanCallback() function should not revert when paused.

[sherlock-admin2]

The protocol team fixed this issue in the following PRs/commits:
teller-protocol/teller-protocol-v2-audit-2024#83