Lenders can set auction length to 0 and instantly seize any collateral that is deposited in their pool
Summary
When creating a lending pool, several configurations can be set. Among them is the auction length.
This is the time, after an auction was started, that a borrower is given to either, refinance, repay or someone else to take up the loan. If, after that time no such actions were take, the initial lender can take the collateral via Lender::seizeLoan.
Because there is no check about the minium value of the auctionLength on creation, loans with a 0 auction length value can be created. In those cases, if, by mistake or by social engineering, borrowers take that loan, their collateral can be instantly taken as: starting an auction and seize the collateral can be done in the same block.
Vulnerability Details
Lender can start an auction via Lender::startAuction which sets the auction start time:
When the auction is finished, the original lender can seize the collateral via Lender::seizeLoan
As it is show, in the startAuction the auctionStartTimestamp is set to block.timestamp and in the seizeLoan the check would translate as if (block.timestamp < block.timestamp + 0) revert ..., thus, it will pass.
Impact
Users that are phished into taking up a loan with 0 auction length time, will lose their collateral.
Tools Used
Manual analysis.
Recommend Mitigation
Add a minimum auction time because, as it is, users can be phished into accepting a good offer and instantly lose their collateral.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.