Lenders vulnerable to forced unfavorable loans due to exploitable salt cancellation mechanism
Summary
An attacker can frontrun the cancel() function to accept outdated loan offers before they are cancelled. Lenders are forced into unfavorable loan agreements based on new market information due to a cancellation delay.
Root Cause
The choice to allow immediate cancellation of salts for cancelling an active proposal allows a window of opportunity for frontrunning attacks.
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
Lender decides to cancel an active loan offer due to new market information and calls cancel() [Github link]
Attacker frontruns this transaction with their own acceptLoanOffer() transaction. [Github link]
Attacker's transaction is processed first, accepting the soon-to-be-cancelled loan offer.
Lender's cancel() transaction is processed, but it's too late as the loan offer has already been accepted.
Impact
The lender suffers a potential loss by being forced into a loan agreement they intended to cancel, possibly using collateral that has significantly decreased in value or under terms they no longer find acceptable. The attacker gains an unfair advantage by accepting a loan offer that the lender wanted to revoke.
Abundant Graphite Hippo
Medium
Lenders vulnerable to forced unfavorable loans due to exploitable salt cancellation mechanism
Summary
An attacker can frontrun the cancel() function to accept outdated loan offers before they are cancelled. Lenders are forced into unfavorable loan agreements based on new market information due to a cancellation delay.
Root Cause
The choice to allow immediate cancellation of salts for cancelling an active proposal allows a window of opportunity for frontrunning attacks.
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
Impact
The lender suffers a potential loss by being forced into a loan agreement they intended to cancel, possibly using collateral that has significantly decreased in value or under terms they no longer find acceptable. The attacker gains an unfair advantage by accepting a loan offer that the lender wanted to revoke.
PoC
No response
Mitigation
No response