Vendor Finance: Incident Report and Fix
Last week during a routine internal code review an issue was identified by the Vendor team. Announcing this issue before fixing it would have potentially put lenders at risk. We have fixed this issue, no funds are at risk.
We have decided to release the findings and solution.
The Issue :
The issue involved rollover pools. The process of a rollover for a lender involves creating a new pool with the same tokens and a longer expiry. However, there was a potential issue with this process. All pools allowed for the transfer of ownership in the event that the lender cannot access the pool deployers private key. This means that a malicious actor could create a new pool with favorable terms for themselves. They could then transfer ownership to a lender that they have borrowed from, potentially granting themselves an unauthorized extension on their loan. In a worst-case scenario, the malicious borrower could have set the lend ratio to an extremely high number and take away both the borrowed and lent funds from the original pool.
The OLD rollover logic relies on the following checks:
- Make sure the new pool has the same collateral token
- Make sure the new pool has the same lend token
- Make sure the new pool has a longer expiry
- Make sure the new pool has the same owner
Mitigation/Fix :
Since this was an internal find we decided to not pause the protocol and proceeded to add a two factor ownership change on the pools. This way malicious borrowers will not be able to transfer pools to other lenders without their consent. This was done nearly three hours after the incident was found. Three hours is exactly the time the update had to wait in the time-lock. We will consider increasing the time-lock period to a longer amount in the future. The fix that was implemented solved the problem of malicious borrowers creating new pools to take advantage of the aforementioned issue.
We do not have the ability to forcefully upgrade existing pools, only lenders are able to do that to a whitelisted implementation. Since that was the case, we had to pause all existing pools that had long expiries and risky LTVs (lend ratios). We used our First Responder multi-sig and that was done within about an hour since the incident was identified. At the time we could not propose the new update for users to upgrade to it, because malicious borrowers with a pool that already exists would just ignore that request.
Paused Pools (Adresses):
- 0x07aAf6A1aa00bf75330D750f3F8E8E5eA8BD292f
- 0x0767E3E55b1B056E9C1D128a3B73b04Bc1246133
- 0xf8139974ad1d34bB2168Fb5DfF3e9Cb9F00FecF6
- 0xe7e44cc639f2Dff5E827492D48602FF3D632aA4f
- 0xA273242093E0De7015D3E210Bc871840AE735bF9
- 0x4E5d12708d8157dc06c9C6C45eF9722A3b4773bD
- 0x39b9F0c8bD0B1ADD3756b0726c60E71A36225424
The NEW rollover logic relies on the following checks:
- Make sure the new pool has the same collateral token
- Make sure the new pool has the same lend token
- Make sure the new pool has a longer expiry
- Make sure the new pool has the same owner
- Make sure the destination pool has been whitelisted by the lender
Improvements and Changes Made
- We have upgraded to an implementation that supports the new rollover functionality which can be seen in the following contract link: https://arbiscan.io/address/0x512445cD569889a03Ef61b6f1c8Fc2346D670f49. Any new pools deployed will have this already in place as of this post.
- Rollovers are now only possible into a lenders whitelisted pools. Only lenders can enable these whitelisted pools via the User Interface/UI under the “My Pools” page, as seen below.
- By default, rolling over is disabled unless the lender whitelists a specific pool.
- Rollovers into specific pools can be disabled by the lender at anytime via the same UI control mentioned above.
- We are scheduling additional audits for our code base.
Actions to be taken by lenders ⚠️:
There is an updated version of the lending pools available. While no funds are at risk and the upgrade is optional, we strongly suggest lenders to upgrade existing lending pools for improved experience and security. Vendor Team can not upgrade the pools on your behalf.
You can do this on the User Interface with one-click! This Upgrade button will show up under the “My Pools” tab under your “Lent” pools.
You have 48 hours to do this upgrade on existing pools.
After upgrading your pools, if you would like to whitelist a specific rollover pool, that can be done as mentioned above under the “improvements and changes made” paragraph.
Lastly, we are sorry for any lenders whose pools were paused and also for the inconvenience this may cause. If you have ANY questions or concerns, please reach out to us on discord. Thank you in advance for you understanding of this matter. We greatly appreciate all feedback and support from our community.
~Vendor Team
