Interest Rate Manipulation via Sandwich Attack
Summary
The project is a peer-to-peer lending platform that allows lenders to create pools and set parameters for borrowers to take loans. A critical issue has been identified where a lender can perform a sandwich attack, manipulating the interest rate to their advantage.
Vulnerability Details
The vulnerability lies in the lender's ability to change the parameters of the loan pool. Specifically, a lender can front-run a borrow transaction by setting the interest rate to the maximum (1000%) and then back-run it by resetting the interest rate to its initial value. This manipulation allows the lender to exploit the system and gain an unfair advantage over the borrowers.
Impact
This vulnerability has a significant impact on the integrity of the platform and the fairness towards borrowers. If exploited, it can lead to substantial financial losses for borrowers, who may end up paying an exorbitant interest rate. Furthermore, it can undermine the trust in the platform, leading to a decrease in its user base and potential legal implications.
Tools Used
Manual Review
Recommendations
To mitigate this issue, consider adding an argument that the borrower will send to the borrow function as an expected interest rate, in addition to a verification that reverts the transaction if the current interest rate is different from the expected one.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.