Borrower can end up with a lot bigger interest rate on their loan than expected
Summary
Borrowers can end up with a lot bigger interest rate on their loan than expected as there is no check in the borrow() function that the interest rate is the same as the interest rate at the time of submitting the transaction.
Vulnerability Details
Consider this scenario:
A malicious lender sets up a pool with a very low interest rate to attract borrowers and monitors the mem pool
When a user submits a transaction to borrow funds, the lender front-runs him and changes the interest rate to
MAX_INTEREST_RATE = 100_000
Considering this is interest rate per second as stated by the comments in Structs.sol, the number 100 000 is very significant and could be 10-20 times bigger than the expected interest rate from the borrowerThe borrower ends up with an extremely expensive loan that he has to pay and he might not even notice that the interest rate is changed, racking up a huge bill
The lender then can proceed and change the interest rate of the pool back to a very low number to bait more borrowers in.(The interest rate of the loan is initialized with the pool.interestRate at the time of borrowing. Changing the interest rate of the pool does not affect past loans, link to code here).
Impact
The impact is loss of funds for the borrowers as they have to pay a lot more than expected and reputational damage for the protocol because every lender can do this so people will be hesitant to use the protocol.
Tools Used
Manual review
Recommendations
Add a parameter desiredInterestRate either to be passed in the function or inside the Borrow struct. Then check for it inside the function:
require(pool.interestRate <= desiredInterestRate)
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.