Malicious lender can front-run user borrows to force them to accept unfavorable terms
Summary
There are currently no checks in the borrow function which allow the borrower to specify the minimum criteria for a loan that they are willing to accept. This includes for example the interestRate and auctionLength. This allows a malicious lender, seeing that a borrower has created a tx to take out a loan using their pool, to front-run this tx with one to e.g. increase the interestRate using the setPool function. This will then force the borrower to accept worse-than-expected terms for their loan.
Vulnerability Details
A malicious lender can perform the following attack, considering there are no protections allowing borrowers to specify the minimum criteria (e.g. interestRate) for the loans they are taking out:
Lender creates a pool with a low interest rate, using
setPoolBorrower specifies that they wish to borrow a set amount from that pool, using
borrowLender sees this tx in the mempool and front-runs it with a call of
setPool, where they increase the interest rate toMAX_INTEREST_RATEBorrower is forced to pay this higher interest rate until they notice that they are being cheated
Impact
Lenders can force unsuspecting borrowers to accept unfavorable terms, meaning borrowers are being cheated.
Tools Used
Manual review
Recommendations
When a borrower attempts to borrow from a given pool, there should be some 'slippage' parameters which they can set, such as the largest interestRate they are willing to pay, or the longest auctionLength they deem acceptable. If the pool does not fit these minimum requirements, then the borrow tx should revert.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.