Marketplace Fee for loan can be updated any time after bid until lender accepts
Summary
A user creates a bid for a loan using submitBid(). Upon submitting the bid, the marketplace fee is not stored. Instead, when the lender accepts the bid using lenderAccetBid(), the marketplace fee is queried from the MarketplaceRegistry contract and used to calculate the amount of principal owed to the borrower. This fee can be updated up to 100% by the marketplace owner at any time between the bid submission to loan acceptance.
Vulnerability Detail
The marketplace fee should be written to the loan's storage to ensure that the updates to the fee cannot affect a bid retroactively. The marketplace owner can update the fee so large that the borrower receives 0 principal.
0xDjango
high
Marketplace Fee for loan can be updated any time after bid until lender accepts
Summary
A user creates a bid for a loan using
submitBid()
. Upon submitting the bid, the marketplace fee is not stored. Instead, when the lender accepts the bid usinglenderAccetBid()
, the marketplace fee is queried from theMarketplaceRegistry
contract and used to calculate the amount of principal owed to the borrower. This fee can be updated up to 100% by the marketplace owner at any time between the bid submission to loan acceptance.Vulnerability Detail
The marketplace fee should be written to the loan's storage to ensure that the updates to the fee cannot affect a bid retroactively. The marketplace owner can update the fee so large that the borrower receives 0 principal.
Impact
Code Snippet
https://github.com/sherlock-audit/2024-04-teller-finance/blob/main/teller-protocol-v2-audit-2024/packages/contracts/contracts/TellerV2.sol#L525-L531
Tool used
Manual Review
Recommendation
Write the marketplace fee percent to loan storage at the time of bid submission, and ensure that the borrower agrees to the terms.
Duplicate of #125