search

Cyfrin / 2023-07-beedle

18 stars 18 forks source link

Lender.sol - pool owner can change interest rate of open loans #313

Closed codehawks-bot closed 1 year ago

codehawks-bot commented 1 year ago

Lender.sol - pool owner can change interest rate of open loans

Severity

Medium Risk

Relevant GitHub Links

https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L221-L226

Summary

When a lender updates the interest rate of his pool, the already open loans still operate with the old interest rate, essentially to not scam users into borrowing, then getting their interest skyrocketed. There is a way a malicious lender can bypass this.

Vulnerability Details

The updateInterestRate() function simply changes the interest rate of a pool as long as it does not go over the upper limit. A malicious lender can change this rate, but even if he does, the open loans would remain unchanged. This way if a lender becomes malicious, even if he tries to pump his interest rates, new users can choose not to deposit, old users would be unaffected. But the malicious lender can simply auction and rebuy his own loans to set the new interest rate for them. There is an attempted mitigation for this with if (pools[poolId].interestRate > currentAuctionRate) revert RateTooHigh();, but the currentAuctionRate is calculated by dividing the max interest possible elapsed time, 100_000 some seconds, by the length of the auction defined in the loan, which too could be set up by the lender by front-running the initial borrow. This way by crafting the currentAuctionRate, the if check can be bypassed, thus setting in the new interest.

There is a lot of prerequisites and crafting that needs to be done by the potentially malicious lender in order to execute this, so I am somewhere in between the MED and LOW. I will let the judges decide.

Impact

Users could be met with insanely high interest rates that would make their loans unrepayable, leading to the eventual seizing of their collateral.

Tools Used

Manual Review

Recommendations

Add some kind of threshold to validate if the buyer in the auction does not have an interest rate that is an X amount higher than the one of the seller pool. giveLoan does a similiar if (pool.interestRate > loan.interestRate) revert RateTooHigh(); check.

PatrickAlphaC commented 1 year ago

The lender would risk someone else buying the loan before they can actually buy it with the updated interest rate. This is a free market!