Lender can frontrun the borrow() transaction to their advantage
Summary
Lender can frontRun the borrowers borrow() transaction to change the interest rate to higher rate and auction length to lower one.
As a result borrower() ends up buying worse loan than they intended (high interest and lower auction length).
Furthermore, lender can utilise above to their advantage and liquidate borrower despite having worthy collateral as per market rate.
Vulnerability Details
Beedle protocol offers p2p lending and borrowing functionality, idea being borrower can chose from the existing pools offline.
And then submit the borrow() transaction on chain with poolId of the pool of their choosing, which then creates loan between the borrower and lender with poolIds parameters.
Problem here is that any lender (Attacker) can create lucrative pool with low interest rate and very high auction length, attracting borrowers(victim) to enter in loan with these on chain pool.
Then this poolCreator(Attacker) can simply frontruns borrowers borrow() transaction with setPool() transaction in-order to update interestRate to maxValue possible and Auctionlength to lowest value possible.
As a result borrower(victim) ends up entering in the loan with absurdly worse parameter for them than they intended.
Lender(Attacker) on the other hand, can call startAuction() after sometime, owing to high interest, existing debt to be paid by the potential new loan buyer becomes very high making the whole offer unattractive.
Then once the auction ends Lender(Attacker) simply calls seizeLoan() to unfairly seize the highly priced collateral from borrower(Victim).
Note the collateral is still valuable in market but due to absurd manipulation of loan parameters no one is willing to buy.
Impact
Borrower gets worse deal than intended, lender (attacker) ends up getting unfair advantage on high interest rate and lower auction length.
Which can be used by lender to unfairly seize the collateral of the borrower as mentioned.
Tools Used
Manual Review
Recommendations
Allow borrower to declare in the advance (when submitting the transaction), amount of interest rate and auction length they are willing to enter in for given pool Id.
Compare those to the latest pool Id Interest and Auctionlength value for the given pool Id, create loan only if they match.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.