Beedle - Oracle free perpetual lending
BeedleFi
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

A Malicious Lender can increase the interest rate to a maximum and screw the borrower

tsvetanovv

Summary

A Malicious Lender can increase the interest rate to a maximum and screw the borrower. This can be done through the function updateInterestRate().

Vulnerability Details

In Lender.sol we have updateInterestRate():

function updateInterestRate(bytes32 poolId, uint256 interestRate) external {
if (pools[poolId].lender != msg.sender) revert Unauthorized();
if (interestRate > MAX_INTEREST_RATE) revert PoolConfig();
pools[poolId].interestRate = interestRate;
emit PoolInterestRateUpdated(poolId, interestRate);
}

This function updates the interest rate for a pool and can only be called by the pool lender.

Imagine the following situation:

  • A borrower may find a given interest rate advantageous and decide to take out a loan.

  • During this time, the malicious Lender sees the borrower's transaction in the mempool and immediately makes a front-run attack and increases the interest rate.

  • The borrower's transaction is then minted but at a higher and undesirable interest rate.

Impact

The borrower takes an unwanted loan at the maximum interest rate.

Tools Used

Recommendations

I think you should add a parameter with which a borrower is willing to accept a given interest rate. For example maxInterestRate.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.