Full Report
Sovryn is a decentralized trading and lending protocol. It is deployed on RSK, a sidechain of the Bitcoin blockchain. When lending give out money, they earn interest on their BTC being used for lending. In the DeFi world, most loans are over-colleateralized in order to ensure they can be paid off. This is because the blockchain does not have the means to ruin the users life via bad credit score and other things if they do not pay back the money. When takes out the money for a loan, the function borrow can be used to specify information about the loan, such as the pool to take the collateral on and the loan id to use. Additionally, a different receiver that be sent as a parameter as well. By specifying the loanid on the call, an attacker can take out loans for other users. According to the article, this is ONLY possible when the loanid has unused collateral. However, it may have been possible to race the removal of a loan from the contract as well. To launch this attack, first, an attacker needs to identify a loan with unused collateral (theoretically). Next, they need to call borrow() with the receiver that they control. Since they have a loan using someone else's collateral, there is no penalty for paying back the loan! They do not have to pay this back. The same vulnerability happens within the marginTrade() function. A malicious user can put someone else in a bad position but specifying that user. In particular, the function call allowed for the setting of the trader on the call, when it should have been msg.sender.
Analysis Summary
# Vulnerability: Unauthorized Fund Extraction via Logic Flaw in Sovryn Lending Protocol
## CVE Details
- **CVE ID:** Not Assigned (DeFi/Smart Contract vulnerability)
- **CVSS Score:** 9.0 - 10.0 (Estimated - Critical)
- **CWE:** CWE-285: Improper Authorization; CWE-639: Instance-Level Access Control Check (IDOR)
## Affected Systems
- **Products:** Sovryn Decentralized Trading and Lending Protocol
- **Versions:** Deployments prior to March 11, 2021
- **Configurations:** Smart contracts deployed on the RSK (Rootstock) Bitcoin sidechain, specifically involving the `LoanTokenLogicStandard.sol` contract.
## Vulnerability Description
The vulnerability arises from a lack of identity verification in the `borrow()` and `marginTrade()` functions within `LoanTokenLogicStandard.sol`.
In the `borrow()` function, the protocol failed to validate that the `msg.sender` (the caller) was the legitimate owner of the `loanId` being referenced. While the contract required a valid `loanId` and matching `borrower` address, it allowed the caller to specify an arbitrary `receiver` address. This permitted an attacker to reference a third party's `loanId` containing unused collateral and direct the loan proceeds to their own wallet.
Similarly, the `marginTrade()` function allowed callers to specify a `trader` address without verifying that the caller was that trader, enabling attackers to open unfavorable positions on behalf of other users.
## Exploitation
- **Status:** PoC available (Reported by whitehat "Turbo"); Not exploited in the wild.
- **Complexity:** Medium
- **Attack Vector:** Network (Blockchain Transaction)
## Impact
- **Confidentiality:** None
- **Integrity:** High (Unauthorized modification of loan positions and collateral states)
- **Availability:** High (Loss of user funds/collateral)
- **Financial Risk:** Approximately 6,798.17 USDT was at immediate risk at the time of discovery.
## Remediation
### Patches
- Sovryn implemented a fix in March 2021 shortly after disclosure. The fix involved adding a `require` statement to ensure that the `msg.sender` is the authorized borrower/trader for the specified `loanId` or that the transaction is initializing a new loan (`loanId == 0`).
### Workarounds
- No manual workarounds were available for users; the vulnerability required a protocol-level smart contract update/redeployment.
## Detection
- **Indicators of Compromise:** Transactions to the `borrow()` function where the `receiver` address does not match the known addresses of the `borrower` associated with the `loanId`.
- **Detection Methods:** On-chain monitoring of `borrow` and `marginTrade` events to verify that the initiator matches the beneficiary or the impacted account.
## References
- Sovryn Bugfix Review: hxxps://medium[.]com/immunefi/sovryn-loan-vulnerability-bugfix-review-ffaf4d1d688f
- Immunefi Platform: hxxps://immunefi[.]com/
- RSK Network: hxxps://rsk[.]co/