As critical information is missing in the pool id hash front running the borrow function makes taking loans unsafe for borrowers
Summary
As things like the interest rate, or auction length are missing inside the pool id it is possible to front run the setPool function right before a borrow call to trick borrower into signing a loan with bad conditions and lose a lot of funds or their collateral.
Vulnerability Details
The pool id is calculated by hashing the lender, loanToken and collateralToken:
But there is more critical information inside a pool, which is missing in the hash of the id. This leads to an attack path that makes it unsafe for users to take loans:
Malicious lender creates a pool with very attractive conditions to trick borrowers into taking a loan, for example 1% interest
Borrower is attracted by the conditions and calls the borrow function with the id calculated from lender, loanToken and collateralToken
The malicious lender front runs the borrow call of the borrower and updates critical information of the pool like for example setting the interest rate to the maximum of 1000%
The call from the borrower goes through, as the id has not changed and therefore the borrower was tricked into taking a loan with 1000% interest instead of the expected 1%
Impact
Taking loans is unsafe for borrowers and can lead to a loss of funds, or even the complete loss of collateral, if the auction length is set to one (which allows starting an auction and liquidate the user in 12 seconds), or they miss the interest rate update for too long.
Tools Used
Manual Review, Foundry, VSCode
Recommendations
Include the most critical information like the interest rate and the auction length inside the hash of the pool id.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.