Lender can Front-run a borrower and increase the loan's interest rate before it is granted
Summary
When a user invokes the function borrow, it is assumed that the interest of the loan defined in pool.interestRate has not been modified since the borrower consulted it before calling the borrow function but it is not checked.
Vulnerability Details
When the function borrow is invoked, the interest rate taken when the loan is created is the one defined in pool.interestRate. The interest rate could, however, be raised by the lender by front running the borrower. A malicious lender could offer very low interest rates to attract borrowers and then front run them and increase the interest rate by invoking the function updateInterestRate, especially with big loans.
Impact
Borrowers would have to pay much more interest than anticipated when the loan was requested or otherwise lose their collateral.
Tools Used
Manual Review.
Recommendations
Add a new field (interestRate) to the Borrow structure contained in Structs.sol.
Add a check in the function borrow in contract Lender.sol making sure that the interest rate of the pool is equal or less than the one requested by the borrower:
function borrow(Borrow[] calldata borrows) public {
// @audit lender could front run and change the interest rate. Add "interestRate" to Borrow Structure
for (uint256 i = 0; i < borrows.length; i++) {
bytes32 poolId = borrows[i].poolId;
uint256 debt = borrows[i].debt;
uint256 collateral = borrows[i].collateral;
uint256 interestRate = borrows[i].interestRate;
// make sure pool interest rate is less or equal the one requested
if (pool.interestRate > interestRate) revert PoolInterestRateLargerThanRequested();
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.