Lender can change the auction length and take borrowers collateral very fast
Summary
Borrower can end up in a loan with a lot shorter auction length than expected, resulting in lender being able to liquidate him very quickly and take his collateral as there is no check in the borrow() function that the auction length is the same as the auction length at the time of submitting the transaction.
Vulnerability Details
Consider this scenario:
A malicious lender sets up a pool with a very good conditions to attract borrowers and monitors the mem pool
When a user submits a transaction to borrow funds, the lender front-runs him and changes the auction length to 1 second. This can be done as there is no MIN_AUCTION_LENGTH constant.
The borrower ends up in a loan that can be liquidated very quickly - something the borrower did not expect
Impact
Depending on the loan-to-value ratio, the collateral of the borrower could be worth a lot more than the loan. The lender will be able to liquidate him very quickly and take his collateral.
Tools Used
Manual review
Recommendations
You can add a variable auctionLength that should be passed as an argument to the borrow function or you can add it as a parameter of the Borrow struct. Then require auctionLength of the Borrow being equal to the auctionLength of the pool.
Additionally, you can add a MIN_AUCTION_LENGTH constant as it makes sense for the auction to be at least a reasonable amount of time.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.