Potential Transaction Manipulation by Lender-Miners Leading to Unfair Collateral Seizure
Summary
A lender who is also a miner can manipulate transaction order to delay a borrower's repayment and seize collateral unfairly. This occurs when the borrower is trying to make the repayment just before their loan peirod is over and the lender holds the borrower's repayment transaction and executes a call followed by a seize, exploiting the loan status change to "Called."
Root Cause
The choice to allow immediate execution of seize after call without a delay is a mistake, as it enables transaction manipulation by lender-miners
Internal pre-conditions
The loan must be in LoanStatus.Active.
The loan period must be ending or ended, allowing the call to be executed.
External pre-conditions
The lender must also be a miner capable of manipulating transaction order.
The borrower must attempt repayment close to the loan period's end.
Attack Path
Borrower submits a repayment transaction just before the loan period ends.
Lender-miner delays the borrower's transaction.
Lender-miner executes call to change the loan status to "Called."
Lender-miner immediately executes seize to take the borrower's collateral.
Impact
The borrower suffers a loss of collateral, despite attempting to repay the loan on time. The lender gains the collateral unfairly due to transaction manipulation
0xBhumii
Medium
Potential Transaction Manipulation by Lender-Miners Leading to Unfair
Collateral SeizureSummary
A lender who is also a miner can manipulate transaction order to delay a borrower's repayment and seize collateral unfairly. This occurs when the borrower is trying to make the repayment just before their loan peirod is over and the lender holds the borrower's repayment transaction and executes a
callfollowed by aseize, exploiting the loan status change to "Called."Root Cause
The choice to allow immediate execution of
seizeaftercallwithout a delay is a mistake, as it enables transaction manipulation by lender-minersInternal pre-conditions
The loan must be in LoanStatus.Active. The loan period must be ending or ended, allowing the call to be executed.
External pre-conditions
The lender must also be a miner capable of manipulating transaction order. The borrower must attempt repayment close to the loan period's end.
Attack Path
Borrower submits a repayment transaction just before the loan period ends. Lender-miner delays the borrower's transaction. Lender-miner executes call to change the loan status to "Called." Lender-miner immediately executes seize to take the borrower's collateral.
Impact
The borrower suffers a loss of collateral, despite attempting to repay the loan on time. The lender gains the collateral unfairly due to transaction manipulation
PoC
https://github.com/sherlock-audit/2024-09-predict-fun/blob/main/predict-dot-loan/contracts/PredictDotLoan.sol#L454C1-L475C1 https://github.com/sherlock-audit/2024-09-predict-fun/blob/main/predict-dot-loan/contracts/PredictDotLoan.sol#L534C1-L553C1
Mitigation
Grace Period: Implement a grace period after the loan period ends, allowing borrowers to repay without risk of immediate seizure.