The `borrow` and `refinance` functions can be front-run by the pool lender leading to collateral being seized in the next block
Summary
The pool's auctionLength is assigned to the loan without the borrower having the possibility to define a minimum value. This allows the pool lender to front-run the borrower by calling the borrow or refinance function and setting a very short auctionLength value. Resulting in the collateral being seized in the next block.
Vulnerability Details
If a user/borrower calls the borrow or refinance functions, the pool lender can front-run and change the pool's auctionLength to an unfavorable (for the borrower) and very small value (e.g., 1) by using the setPool function. Subsequently, the lender of the pool can start the auction for the loan. Due to the short auctionLength, the auction will end in the next block. This allows the lender (or basically anyone) to seize the collateral in the next block.
The
borrowfunction assigns thepool.auctionLengthto the loan in L259The
refinancefunction updates the loan's auction length to thepool.auctionLengthin L694
Impact
The pool lender can seize the loan's collateral almost immediately (specifically, in the next block), causing a loss to the borrower.
Tools Used
Manual Review
Recommendations
Consider allowing the borrower to define a minimum auction length when borrowing or refinancing and validate if the pool fulfills this criterion. Additionally, consider adding a reasonable minimum value for the auction length (e.g., 1 hour or 1 day) to allow the borrower to act appropriately.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.