When a lender updates the interest rate of his pool, the already open loans still operate with the old interest rate, essentially to not scam users into borrowing, then getting their interest skyrocketed. There is a way a malicious lender can bypass this.
Vulnerability Details
The updateInterestRate() function simply changes the interest rate of a pool as long as it does not go over the upper limit. A malicious lender can change this rate, but even if he does, the open loans would remain unchanged. This way if a lender becomes malicious, even if he tries to pump his interest rates, new users can choose not to deposit, old users would be unaffected. But the malicious lender can simply auction and rebuy his own loans to set the new interest rate for them.
There is an attempted mitigation for this with if (pools[poolId].interestRate > currentAuctionRate) revert RateTooHigh();, but the currentAuctionRate is calculated by dividing the max interest possible elapsed time, 100_000 some seconds, by the length of the auction defined in the loan, which too could be set up by the lender by front-running the initial borrow. This way by crafting the currentAuctionRate, the if check can be bypassed, thus setting in the new interest.
There is a lot of prerequisites and crafting that needs to be done by the potentially malicious lender in order to execute this, so I am somewhere in between the MED and LOW. I will let the judges decide.
Impact
Users could be met with insanely high interest rates that would make their loans unrepayable, leading to the eventual seizing of their collateral.
Tools Used
Manual Review
Recommendations
Add some kind of threshold to validate if the buyer in the auction does not have an interest rate that is an X amount higher than the one of the seller pool. giveLoan does a similiar if (pool.interestRate > loan.interestRate) revert RateTooHigh(); check.
Lender.sol - pool owner can change interest rate of open loans
Severity
Medium Risk
Relevant GitHub Links
https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L221-L226
Summary
When a lender updates the interest rate of his pool, the already open loans still operate with the old interest rate, essentially to not scam users into borrowing, then getting their interest skyrocketed. There is a way a malicious lender can bypass this.
Vulnerability Details
The
updateInterestRate()
function simply changes the interest rate of a pool as long as it does not go over the upper limit. A malicious lender can change this rate, but even if he does, the open loans would remain unchanged. This way if a lender becomes malicious, even if he tries to pump his interest rates, new users can choose not to deposit, old users would be unaffected. But the malicious lender can simply auction and rebuy his own loans to set the new interest rate for them. There is an attempted mitigation for this withif (pools[poolId].interestRate > currentAuctionRate) revert RateTooHigh();
, but thecurrentAuctionRate
is calculated by dividing the max interest possible elapsed time, 100_000 some seconds, by the length of the auction defined in the loan, which too could be set up by the lender by front-running the initial borrow. This way by crafting thecurrentAuctionRate
, the if check can be bypassed, thus setting in the new interest.There is a lot of prerequisites and crafting that needs to be done by the potentially malicious lender in order to execute this, so I am somewhere in between the MED and LOW. I will let the judges decide.
Impact
Users could be met with insanely high interest rates that would make their loans unrepayable, leading to the eventual seizing of their collateral.
Tools Used
Manual Review
Recommendations
Add some kind of threshold to validate if the buyer in the auction does not have an interest rate that is an X amount higher than the one of the seller pool.
giveLoan
does a similiarif (pool.interestRate > loan.interestRate) revert RateTooHigh();
check.