Lenders could receive interest less than expected
Summary
If the lenderFee and borrowerFee variables are updated, the updated fees will be applied to every previously opened loan position, not just newer loan positions. All lenders could receive interest (yield) less than expected.
Vulnerability Details
The lenderFee and borrowerFee variables can be set by an admin through the setLenderFee() and the setBorrowerFee(), respectively. Whereas the lenderFee can be up to 5000 (50% fee), the borrowerFee can be up to 500 (5% fee).
If these variables are updated, the updated fees will be applied to every previously opened loan position, not just newer loan positions.
More specifically, when the repay(), giveLoan(), buyLoan(), seizeLoan(), or refinance()is executed, the updated fees will be applied. Consequently, lenders could receive interest (yield) less than expected.
Use of the lenderFee: https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L725
Use of the borrowerFee: https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L561
Impact
All lenders could receive interest (yield) less than expected if the lenderFee and/or borrowerFee variables are updated (i.e., in case of increasing the fees) since the updated fees will be applied to every previously opened loan position, not just newer loan positions.
Tools Used
Manual Review
Recommendations
Consider applying the updated fees to only newer loan positions.
An example idea for the solution is to populate the lenderFee and borrowerFee parameters during creating a loan and record them in the Loan struct. These parameters will be static and used for a particular loan only.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.