Forced Liquidation by Lender via Sandwich Attack
Summary
The project is a peer-to-peer lending platform that allows lenders to create pools and set parameters for borrowers to take loans. The issue is a "Auction Length Manipulation via Sandwich Attack", where a lender can perform a sandwich attack by manipulating the auction length during a borrow transaction to force liquidation after.
Vulnerability Details
A lender can front-run a borrow transaction by calling an update to the auction length that sets it to the minimum possible value (1), and then back-run it to restore the previous value and call the start auction. This manipulation allows the lender to immediately claim the borrower's collateral in the next block.
Impact
This vulnerability has a severe impact on the protocol. If exploited, it can lead to substantial financial losses for borrowers, who may lose their collateral to the lender in an unfair manner.
Tools Used
Manual Review
Recommendations
To mitigate this vulnerability, it is recommended to implement a mechanism that allows the borrower to specify the expected auction length which will be then required to equal the one stored in the contract to avoid those race conditions.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.