Open sherlock-admin opened 1 year ago
Escalate for 10 USDC This is not valid M. Accroding to README.md: Market owners should NOT be able to race-condition attack borrowers or lenders by changing market settings while bids are being submitted or accepted
Escalate for 10 USDC This is not valid M. Accroding to README.md: Market owners should NOT be able to race-condition attack borrowers or lenders by changing market settings while bids are being submitted or accepted
You've created a valid escalation for 10 USDC!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Escalation rejected
Valid medium This is a valid issue and protocol expected this to be audited and is mentioned in the readme
Escalation rejected
Valid medium This is a valid issue and protocol expected this to be audited and is mentioned in the readme
This issue's escalations have been rejected!
Watsons who escalated this issue will have their escalation amount deducted from their next payout.
Fix looks good. LenderAcceptBid now allows users to specify a max fee
tallo
medium
A malicious market owner/protocol owner can front-run calls to lenderAcceptBid and change the marketplace fee to steal lender funds
Lines of Code
https://github.com/teller-protocol/teller-protocol-v2/blob/develop/packages/contracts/contracts/TellerV2.sol#L470 https://github.com/teller-protocol/teller-protocol-v2/blob/develop/packages/contracts/contracts/ProtocolFee.sol#L44 https://github.com/teller-protocol/teller-protocol-v2/blob/develop/packages/contracts/contracts/MarketRegistry.sol#L621
Summary
Malicious market owners and protocol owners can arbitrary set fees to extraordinary rates to steal all of the lenders funds.
Vulnerability Detail
A malicious market owner can front run lenders who wish to accept a bid through
lenderAcceptBid
by callingMarketRegistry.setMarketFeePercent
to set the marketplace fee to 100%. This allows the malicious market owner to steal 100% of the funds from the lender. The same thing can be done by a malicious protocol owner by callingProtocolFee.setProtocolFee
Impact
Lender loses all their funds on a bid they accept due to malicious or compromised market owner/protocol owner.
Code Snippet
Tool used
Manual Review
Recommendation
lenderAcceptBid
Note: The developers seem to be aware of this attack vector but their doesn't appear to be a fix in this case"Market owners should NOT be able to race-condition attack borrowers or lenders by changing market settings while bids are being submitted or accepted (while tx are in mempool). Care has been taken to ensure that this is not possible (similar in theory to sandwich attacking but worse as if possible it could cause unexpected and non-consentual interest rate on a loan) and further-auditing of this is welcome. The best way to defend against this is to allow borrowers and lenders to specify such loan parameters in their TX such that they are explicitly consenting to them in the tx and then reverting if the market settings conflict with those tx arguments."