The `borrow` and `refinance` functions can be front-run by the pool lender to set high interest rates
Summary
The pool's interestRate is assigned to the loan without the borrower having the possibility to define a maximum value. This allows the pool lender to front-run the borrower by calling the borrow or refinance function and setting the maximum possible interestRate value, i.e., MAX_INTEREST_RATE. This results in a very high interest payment for the borrower.
Vulnerability Details
If a user/borrower calls the borrow or refinance functions, the pool lender can front-run and change the pool's interestRate to an unfavorable (for the borrower) and very high value (e.g., MAX_INTEREST_RATE) by using the setPool function. This results in a very high interest payment for the borrower, calculated in the _calculateInterest function.
The
borrowfunction assigns thepool.interestRateto the loan in L256The
refinancefunction updates the loan's auction length to thepool.interestRatein L688
Impact
Unnecessary and unexpected high interest rate for the borrower.
Tools Used
Manual Review
Recommendations
Consider allowing the borrower to define a maximum interest rate when borrowing or refinancing and validate if the pool fulfills this criterion.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.