`borrow` function can be frontrun by lender to put `auctionLength` to `1`
Summary
THe borrow function can be frontrun by a malicious lender to put the auctionLength of the lending pool to 1 which will allow the lender to immediately liquidate the new borrower.
Vulnerability Details
When someone wants to take a loan they have the call the borrow function with the poolId they want to borrow from. The lender of this pool could be watching the mempool and decide to call the setPool function to update their pool with the minimum amount of auctionLength which is 1 (i.e. 1 second). With higher gas fees this transaction will be executed before the borrower's.
https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L130
https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L232
The malicious lender can then put the loan up for auction by calling startAuction. The auction will end at the next mined block which doesn't let any one the time to buy it. The lender can then call seizeLoan to liquidate the newly created loan and receive the collateral.
Impact
Lenders can immeditely liquidate new loans to steal borrower's collateral.
Tools Used
Manual review + Foundry
Recommendations
Have a minimal auctionLength amount, for example 1 day. In addition, a delay can be added when updating existing pools.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.