Rhythmic Bone Boa - Frontrunning permit to DoS repayBorrowWithPermit()

[sherlock-admin2]

Rhythmic Bone Boa

Low/Info

Frontrunning permit to DoS repayBorrowWithPermit()

Summary

An attacker can force the UDai::repayBorrowWithPermit() logic to intentionally fails, causing a temporary DoS.

Root Cause

Its due to permit function is used in conjunction with repay borrow logic(UDai::repayBorrowWithPermit()), since the permit function is permissionless, anyone can call the permit() with given arguments before the repayBorrowWithPermit() function. This cause the second permit txn to fail in repayBorrow logic, as a result, the entire txn reverts.

    function repayBorrowWithPermit(
        address borrower,
        uint256 amount,
        uint256 nonce,
        uint256 expiry,
        uint8 v,
        bytes32 r,
        bytes32 s
    ) external whenNotPaused {
        IDai erc20Token = IDai(underlying);
        erc20Token.permit(msg.sender, address(this), nonce, expiry, true, v, r, s);   // <@ second permit txn . 

        if (!accrueInterest()) revert AccrueInterestFailed();
        uint256 interest = calculatingInterest(borrower);
        _repayBorrowFresh(msg.sender, borrower, decimalScaling(amount, underlyingDecimal), interest);
    }

Impact

Since there are also other way to repay borrowed amount, its not that severe. the user only has to pay extra gas for the revert txn.

PoC

https://github.com/sherlock-audit/2024-06-union-finance-update-2/blob/7ffe43f68a1b8e8de1dfd9de5a4d89c90fd6f710/union-v2-contracts/contracts/market/UDai.sol#L19

Mitigation

Use the external permit call in try/catch to avoid failures.

[ghost]

Escalate
I submitted as low, should be duplicate of #65

[mystery0x]

This report has been automatically excluded by the bot and did appear in my judging repo.

[WangSecurity]

Issues that were submitted as low/info initially cannot be Medium or high in any case.