Pool owner can front-run innocent user and significantly increase interest rate
Summary
A pool owner can front-run a user taking a loan and significantly increase the interest rate of the loan.
Vulnerability Details
Upon taking a loan, all a user specifies is the pool, the borrow amount they want and the collateral they're willing to provide, but there is no protection on the interest rate. A pool owner can set a low interest rate to attract users and start monitoring the mempool. Upon seeing a user transaction for a loan, the pool owner can front-run it and significantly increase the interest rate and turn the loan into conditions which the user would see as unacceptable.
Impact
User will take a loan at much higher interest rate than expected
Tools Used
Manual review
Recommendations
Add a param to the Borrow struct which is the max interest rate the user is willing to pay. Upon taking a borrow, make sure this value >= the interest rate of the pool.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.