Auction length can be set to a very low value by a malicious lender.
Summary
The function setPool allows a lender to set a very low auctionLength value, which could be maliciously used to seize the collateral of the borrower.
Vulnerability Details
The function setPool has the following checks:
Note that auctionLength cannot be 0 or greater than MAX_AUCTION_LENGTH. But, it can take any value in between. That means the value can be as low as 1 second. When a user/victim borrows against this pool, the malicious lender would immediately call the startAuction function. Other lenders will not be able to buy the loan using buyLoan function, because the following condition would fail:
The condition would fail because the auctionStartTimestamp is set to a very low value (maybe 1 second). Since no one is able to buy the loan, the malicious lender would next call the seizeLoan function. The seizeLoan will be executed because the auction ends very soon because of the low auctionStartTimestamp value. This allows the lender to take over the collateral of the user and clear their outstanding loans.
One condition is that the users would have to accept loans with such low auctionLength values, but unaware users can be lured into doing so because a malicious lender might offer loans at very low-interest rates, high maxLoanRatioetc.
Impact
The collateral of a user can be easily seized if the auctionLength is set to a very low value.
Tools Used
Manual review
Recommendations
It is recommended that the protocol introduce a variable called MIN_AUCTION_LENGTH to prevent lenders from setting extremely low auction lengths.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.