Initial interest rate of a pair can be front run by any user to set it to max
Summary
Initial interest rate of a pair can be front run by any user to set it to max
Vulnerability Detail
The creation of Ajna pool (ERC20 or ERC721) by design is open to anyone. Anyone can register a pair to create a pool with a custom interest rate (min 1% max 10%).
Comparing to Uniswap in terms of creating a pair, the first creator of a pair which he can set the price strategically most of the time is the developer/team/creator of the token. This initial liquidity pair will set the price. This initial price for sure is the important factor for the project itself to attract users.
Back to Ajna, which give anyone capability to create a pool, giving the power of initialise interest rate to anyone might not benefit to a certain token which being used as the collateral or quote token.
While the interest rates can automatically adjusted based on lender and borrower, but giving an initial interest rate to max will make the activity of a pool might be slow to gain some tractions.
Let say a new token was created (or any unpopular token), and trying to gain popularity, if someone initially create an Ajna pool which set the interestRate as 10% (max), then the project might be hard to get some exposure to public. Perhaps the project owner of that token want to minimize as little as 1%, but an unknown user front-run it by creating the pool with 10% interest rate.
Impact
Someone might set a pool with max interest rate, which can make the pool not attractive.
Since the aim of ajna is permissionless, we can't really include any governance rule for a token, so, rather than giving a power to anyone else setting an interest rate, just let the initial interest rate to be the average of minimum or maximum, for example 5%, so the adjusted dynamic interest rate can easily catch to the market interest-rate value.
chainNue
medium
Initial interest rate of a pair can be front run by any user to set it to max
Summary
Initial interest rate of a pair can be front run by any user to set it to max
Vulnerability Detail
The creation of Ajna pool (ERC20 or ERC721) by design is open to anyone. Anyone can register a pair to create a pool with a custom interest rate (min 1% max 10%).
Comparing to Uniswap in terms of creating a pair, the first creator of a pair which he can set the
pricestrategically most of the time is the developer/team/creator of the token. This initial liquidity pair will set the price. This initial price for sure is the important factor for the project itself to attract users.Back to Ajna, which give anyone capability to create a pool, giving the power of initialise interest rate to anyone might not benefit to a certain token which being used as the collateral or quote token.
While the interest rates can automatically adjusted based on lender and borrower, but giving an initial interest rate to max will make the activity of a pool might be slow to gain some tractions.
Let say a new token was created (or any unpopular token), and trying to gain popularity, if someone initially create an Ajna pool which set the
interestRateas 10% (max), then the project might be hard to get some exposure to public. Perhaps the project owner of that token want to minimize as little as 1%, but an unknown user front-run it by creating the pool with 10% interest rate.Impact
Someone might set a pool with max interest rate, which can make the pool not attractive.
Code Snippet
https://github.com/sherlock-audit/2023-01-ajna/blob/main/contracts/src/ERC20PoolFactory.sol#L75
Tool used
Manual Review
Recommendation
Since the aim of ajna is permissionless, we can't really include any
governancerule for a token, so, rather than giving a power to anyone else setting an interest rate, just let the initial interest rate to be the average of minimum or maximum, for example 5%, so the adjusted dynamic interest rate can easily catch to the market interest-rate value.