Frontrunning `borrow()` leads to immediate liquidation
Summary
Malicious lenders can frontrun the borrow function (in Lender.sol) to immediately liquidate their borrowers
Vulnerability Details
A malicious lender establishes a lending pool and waits for a borrow transaction to be called on their pool, upon which they call setPool() with a high gas tip, which updates the pool's auctionLength to 1 seconds. As a result, the auctionLength of the borrower's loan is one second. The lender then calls startAuction() on the loan, waits for the transaction to be finalized, then calls seizeLoan() to liquidate the borrower. (Note that the seizeLoan() transaction must be in the block after the startAuction() transaction, otherwise the check on lines 556-559 will fail and cause a revert.)
Impact
Because loans typically require the collateral value to be higher than the loan value, malicious lenders can immediately profit from seizing the buyer's collateral while losing the value of the given loan. Furthermore, borrowers can be unfairly liquidated. User funds are directly at risk.
Tools Used
Recommendations
Implement a minimum loan duration, or do not allow lenders to update the auctionLength of their pools.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.