Loans can mature instantly due to lack of minimumDuration check and variable
Summary
In accepting offers there is no check for the least duration a loan should stay so as to mature, meaning if a borrower accepts a loan offer The loan will mature instantly. leading to a borrower to instanly lose his collateral or pay high interest since new lenders call auction. And if this is not accepted in the user Interface. The Attacker can create a proposal and match it using matchPropasal() using the smart contract Directly.
Root Cause
There is no check of minimumTime a loan can be given in both acceptLoanOffer(). acceptLoanOfferAndFillOrder(). nor is there either a variable to check against.
Internal pre-conditions
add minimum duration variable 1hour or above to avoid borrowers being thrown into high debts instantly.
External pre-conditions
No response
Attack Path
An Attacker creates a proposal and calls match if the ui doesn't allow 0 minimum time duration. he can create a proposal struct and call match directly.
The matchProposal directly matches the proposal to an borrower.
Once it is successful the attacker calls call() which then will allow auctioning of tokens.
a new lender can now bid leaving the attacker with profit from the new lender even though the loan matured instantly
Impact
The loanId will mature instantly causing the borrower to pay loan with high interest, to recapture the underlying tokens.
Savory White Panda
Medium
Loans
can mature instantly due to lack ofminimumDuration
check andvariable
Summary
In accepting offers there is no check for the least duration a loan should stay so as to mature, meaning if a borrower accepts a loan offer The
loan
will mature instantly. leading to aborrower
to instanly lose his collateral or pay high interest since new lenders call auction. And if this is not accepted in the user Interface. TheAttacker
can create a proposal andmatch
it usingmatchPropasal()
using the smart contract Directly.Root Cause
There is no
check
of minimumTime a loan can be given in bothacceptLoanOffer()
.acceptLoanOfferAndFillOrder()
. nor is there either a variable to check against.Internal pre-conditions
External pre-conditions
No response
Attack Path
match
if the ui doesn't allow 0 minimum time duration. he can create a proposal struct and call match directly.call()
which then will allowauctioning
of tokens.bid
leaving theattacker
with profit from the new lender even though theloan
matured instantlyImpact
The
loanId
will mature instantly causing theborrower
to pay loan with high interest, to recapture the underlying tokens.PoC
No response
Mitigation
Add a minimum duration like 1 hour, to avoid instant maturity in
assertProposalValidity()
function. https://github.com/sherlock-audit/2024-09-predict-fun/blob/main/predict-dot-loan/contracts/PredictDotLoan.sol#L1409C2-L1443C1