LoanProposalFactory Manual Review Findings

LPF-01M: Unsanitized Funding Pool

Type	Severity	Location
Input Sanitization		LoanProposalFactory.sol:L23-L58

Description:

The LoanProposalFactory::createLoanProposal function accepts an arbitrary _fundingPool as an argument, permitting malicious pool implementations to underpin loan proposals.

Impact:

Depending on how created proposals are expected to be handled by the Myso Finance front-end implementations, this exhibit's severity can vary from minor to major.

As an example, if all loan proposals are listed in the Myso Finance application, it would be trivial to impersonate other funding pools and generally social engineer unsuspecting users into depositing funds in the funding pool of a lucrative loan proposal.

Example:

Copy
23function createLoanProposal(
24    address _fundingPool,
25    address _collToken,
26    uint256 _arrangerFee,
27    uint256 _unsubscribeGracePeriod,
28    uint256 _conversionGracePeriod,
29    uint256 _repaymentGracePeriod
30) external {
31    bytes32 salt = keccak256(
32        abi.encodePacked(loanProposalImpl, msg.sender, loanProposals.length)
33    );
34    address newLoanProposal = Clones.cloneDeterministic(
35        loanProposalImpl,
36        salt
37    );
38    loanProposals.push(newLoanProposal);
39    isLoanProposal[newLoanProposal] = true;
40    ILoanProposalImpl(newLoanProposal).initialize(
41        msg.sender,
42        _fundingPool,
43        _collToken,
44        _arrangerFee,
45        _unsubscribeGracePeriod,
46        _conversionGracePeriod,
47        _repaymentGracePeriod
48    );
49
50    emit LoanProposalCreated(
51        newLoanProposal,
52        _fundingPool,
53        msg.sender,
54        _collToken,
55        _arrangerFee,
56        _unsubscribeGracePeriod
57    );
58}

Recommendation:

We advise a dedicated factory to be introduced to the codebase for funding pools via which the _fundingPool input of the LoanProposalFactory::createLoanProposal function will be validated, disallowing malicious implementations from being utilized in the creation of a loan proposal.

Alleviation (c740f7c6b5ebd365618fd2d7ea77370599e1ca11):

The LoanProposalFactory implementation has been replaced by a singleton Factory implementation that deploys both FundingPoolImpl as well as LoanProposalImpl instances.

In this implementation, the Factory::createLoanProposal function properly validates that the _fundingPool has been deployed via it thus alleviating this exhibit.