Short Fleece Nightingale
High
The choice to allow the owner to set the leverager will cause a loss of assets for the users as the owner will misuse the leverager to drain the protocol's funds.
The choice to allow the owner to set the leverager is a mistake as it enables the owner to potentially drain the protocol's funds.
Owner needs to callsetLeverager() to set leverager to be other than address(0).
None.
Owner calls setLeverager() to set a malicious address as the leverager.
Malicious leverager calls borrow() or pullFunds() to withdraw assets from the protocol.
The users suffer an approximate loss of all assets held in the protocol. The attacker gains these assets.
// Assuming the owner's address is attacker
function testRugPull() public {
address maliciousLeverager = address(0x1234567890123456789012345678901234567890);
LendingPool lendingPool = new LendingPool();
lendingPool.setLeverager(maliciousLeverager);
// Malicious leverager withdraws assets
ILeverager(maliciousLeverager).pullFunds(address(this), 1e18); // Assuming 1e18 is the total asset amount
}