The collateral ratio doesn't get checked when buying an auctioned loan, disabling some protocol functionalities for the borrower

[codehawks-bot]

The collateral ratio doesn't get checked when buying an auctioned loan, disabling some protocol functionalities for the borrower

Severity

Medium Risk

Relevant GitHub Links

https://github.com/Cyfrin/2023-07-beedle/blob/main/src/Lender.sol#L465

https://github.com/Cyfrin/2023-07-beedle/blob/main/src/Lender.sol#L518-L522

Summary

The collateral ratio of a loan getting bought by a pool doesn't get checked for compliance with the new pool, disabling refinance() for the user and giveLoan() for the lender.

Vulnerability Details

The buyLoan() function doesn't check whether the loan is compatible with the pool it is getting transferred into.

// @audit no such check here:
if (loan.auctionStartTimestamp == type(uint256).max)
	revert AuctionNotStarted();
if (block.timestamp > loan.auctionStartTimestamp + loan.auctionLength)
	revert AuctionEnded();

Impact

This will disable the user from calling refinance() and the lender from calling giveLoan() as both of these functions have a check for whether the token ratio is within the maxLoanRatio's boundaries.

uint256 loanRatio = (debt * 10 ** 18) / collateral;
if (loanRatio > pool.maxLoanRatio) revert RatioTooHigh();

Tools Used

Manual Review

Recommendations

Consider checking whether the token ratio of the loan is compatible with the pool in buyLoan().