A malicious lender can front-run high value loans to maximize interest
Summary
A user borrowing a loan may be susceptible to front-running by the lender. The lender has the ability to change the interestRate of a pool. So a malicious lender can increase the interestRate to an elevated value just before the borrower initiates the loan transaction.
This manipulation allows the lender to maximize their profit by imposing higher interest rates on the borrowed amount, potentially leading to significant financial losses for the borrower.
Vulnerability Details
A user initiates a loan transaction with an interestRate (e.g. 20%) to borrow funds from the pool.
The lender, who is aware of the upcoming loan transaction, front-runs the borrower and updates the interestRate parameter to an exceedingly high value e.g. MAX_INTEREST_RATE=1000% before the loan is finalized.
Consequently, the loan is transferred to the user at the manipulated
interestRate of 1000%.If the change in the
interestRategoes unnoticed, the borrower will end up paying much higher interest than expected, resulting in potential financial losses.
Impact
Borrower has to pay more interest than what was intended.
Tools Used
Manual review
Recommendations
The updated interest rate for a pool should be effective after a time delay to avoid this exploit.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.