A malicious user can borrow at a much lower interest rate from LenderCommitmentGroup_Smart.
Summary
The interest rate is determined based on the PoolUtilizationRatio when the loan is made. A malicious user can temporarily decrease the PoolUtilizationRatio by depositing a large amount of liquidity just before taking out a loan. They can then quickly withdraw all that liquidity after the loan is made. This can allow the malicious user to borrow at a much lower interest rate.
This attack can also be carried out using a flash loan, where the user borrows a large amount of liquidity, deposits it to reduce the PoolUtilizationRatio, takes out a loan at the artificially low rate, and then repays the flash loan. This allows the user to obtain a loan at an interest rate that does not accurately reflect the pool's true utilization level.
Vulnerability Detail
Depositing a large amount of liquidity into the LenderCommitmentGroup_Smart increases the PoolTotalEstimatedValue, which in turn decreases the PoolUtilizationRatio.
function getPoolUtilizationRatio() public view returns (uint16) {
if (getPoolTotalEstimatedValue() == 0) {
return 0;
}
return uint16( Math.min(
getTotalPrincipalTokensOutstandingInActiveLoans() * 10000 /
@> getPoolTotalEstimatedValue() , 10000 ));
}
function getMinInterestRate() public view returns (uint16) {
@> return interestRateLowerBound + uint16( uint256(interestRateUpperBound-interestRateLowerBound).percent(getPoolUtilizationRatio()) );
}
So a user can borrow at a much lower interest rate from LenderCommitmentGroup_Smart. He can then quickly withdraw all that liquidity after the loan is made. As a result, a malicious user can borrow at a much lower interest rate.
Even though a malicious user may not have enough funds themselves, they can still temporarily deposit a large amount of liquidity into the LenderCommitmentGroup_Smart by using a flash loan.
Impact
A malicious user can borrow at a much lower interest rate that does not accurately reflect the pool's true utilization level.
The mechanism for interest rate checking should be improved. Additionally, withdrawal should be disabled in the same block to prevent flashloan attack.
KupiaSec
high
A malicious user can borrow at a much lower interest rate from
LenderCommitmentGroup_Smart.Summary
The interest rate is determined based on the
PoolUtilizationRatiowhen the loan is made. A malicious user can temporarily decrease thePoolUtilizationRatioby depositing a large amount of liquidity just before taking out a loan. They can then quickly withdraw all that liquidity after the loan is made. This can allow the malicious user to borrow at a much lower interest rate.This attack can also be carried out using a flash loan, where the user borrows a large amount of liquidity, deposits it to reduce the
PoolUtilizationRatio, takes out a loan at the artificially low rate, and then repays the flash loan. This allows the user to obtain a loan at an interest rate that does not accurately reflect the pool's true utilization level.Vulnerability Detail
Depositing a large amount of liquidity into the
LenderCommitmentGroup_Smartincreases thePoolTotalEstimatedValue, which in turn decreases thePoolUtilizationRatio.https://github.com/sherlock-audit/2024-04-teller-finance/blob/main/teller-protocol-v2-audit-2024/packages/contracts/contracts/LenderCommitmentForwarder/extensions/LenderCommitmentGroup/LenderCommitmentGroup_Smart.sol#L757-L771
So a user can borrow at a much lower interest rate from
LenderCommitmentGroup_Smart. He can then quickly withdraw all that liquidity after the loan is made. As a result, a malicious user can borrow at a much lower interest rate.Even though a malicious user may not have enough funds themselves, they can still temporarily deposit a large amount of liquidity into the LenderCommitmentGroup_Smart by using a flash loan.
Impact
A malicious user can borrow at a much lower interest rate that does not accurately reflect the pool's true utilization level.
Code Snippet
https://github.com/sherlock-audit/2024-04-teller-finance/blob/main/teller-protocol-v2-audit-2024/packages/contracts/contracts/LenderCommitmentForwarder/extensions/LenderCommitmentGroup/LenderCommitmentGroup_Smart.sol#L757-L771
Tool used
Manual Review
Recommendation
The mechanism for interest rate checking should be improved. Additionally, withdrawal should be disabled in the same block to prevent flashloan attack.
Duplicate of #110