Front-Running Vulnerability in Lending Contract
Summary
This report highlights a potential vulnerability in the Lender.sol smart contract where a malicious pool owner might exploit the system to front-run borrower transactions, leading to an unexpectedly high interest rate.
Vulnerability Details
Bob, intending to take a loan, notices a pool owned by Eve offering zero interest and quickly decides to borrow some assets. However, Eve has malicious intentions and manages to front-run Bob's transaction by calling the updateInterestRate function, swiftly changing the interest rate from 0 to 99,999. This change occurs without Bob's knowledge, just prior to his transaction.
Bob faces a big surprise when he wants to repay the loan. Bob is frustrated and doesn't trust the protocol anymore.
Impact
A user ends up spending more interest than he initially thought and might even get liquidated.
Tools Used
Manual review
Recommendations
The protocol should introduce a delay or 'cooldown' period between interest rate updates to prevent immediate changes. This delay allows for borrowers to react to any proposed changes, maintaining transparency and trust in the protocol.
Also the protocol could consider adding an interest to the Borrow struct such as if there is mismatch between the interestRate: pool.interestRate and the borrows[i].interestRate then the transaction reverts.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.