refinance/borrow functions don't check for interest rates of the pool.
Summary
refinance/borrow functions in the Lender contract don't check for interest rates of the pool. A malicious lender could increase the interest rate by frontrunning the borrow transaction submitted by a user.
Vulnerability Details
Let's consider the borrow transaction. A user looking to borrow a certain loanToken finds a pool with a very low-interest rate. But, this pool was created by a malicious lender. They see that a user created a borrow transaction for their pool in the mempool. The interest rate is never checked in the borrow function. Only the following checks exist:
This allows a malicious lender who sees the user's transaction to increase the interest rate of their pool to a very high value by using the updateInterestRate function. They would pay a higher gas fee to ensure that updateInterestRate is called before the borrow transaction of the victim. Hence, the user would end up with a loan with a very high-interest rate. This is also the case with the refinance function.
Impact
Users could end up with a loan with a very high-interest rate than they intended.
Tools Used
Manual review
Recommendations
Allow another parameter in the borrow function that takes a maxInterestRate that a user wants. This value should be checked against the interest rate of the pool. If maxInterestRate is lower, then the transaction should revert. It will save the user from taking a risky loan.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.