setPool allows the lender to edit to loan which can hurt the borrower and cause reverts
Summary
we can edit the pool in setPool when there should be some checks in place that hold what rate and when we can edit the action length should be. The borrower can make the borrower and certain functions revert as I will explain in a moment because there is no check against open Loans
Vulnerability Details
The lender wants to give their loan but the new pool lender makes it revert causing a dos
The lender can decrease poolBalance causing LTV loan amount to fluctuate when the borrower wants to take a loan but it will revert
ex:
Bob the borrower wants to 100 usdc loan
Alice rebalances their poolBalance to make the function revert
Impact
dos reverting like let's say there are only 10 lenders and they all work together on a cheap chain to fluctuate
their PoolBalance.Also, the lenders can fluctuate their intersetRate causing dos on the new lender. Same thing can happen on auctionLength.There should be some constraints on how/when a lender/pool can change their agreements
Tools Used
Recommendations
The main root cause is there are no constraints for setPool
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.