PredictDotLoan::auction() doesn't allow new lenders to specify a minimum interest rate
Summary
PredictDotLoan::auction() doesn't allow users to specify a minimum interest rate. Due to the dutch auction this doesn't seem an issue since the interest rate always increases the more time elapses. However, this can be an issue if the chain where the contracts are deployed suffers a reorg attack. This may place the transaction earlier than the actor (Alice) anticipated. Therefore the interest rate that Alice expected may be lower causing a loss for Alice, since they expected a higher interest rate to achieve with their PredictDotLoan::auction() tx.
According to the contest page, the protocol contracts may be deployed to compatible EVM chains, many of which are frequently reorganized.
potentially any EVM chains with a prediction market
Root Cause
PredictDotLoan::auction() doesn't allow actors to specify a minInterestRate.
An actor (the new lender) that is participating on an auction may receive less interest than intended, suffering a loss due to the lower interest rate.
PoC
No response
Mitigation
Consider allowing actors to specify a minInterestRate when they auction, and revert if the actual interest rate that is based on time elapsed is smaller than the minInterestRate.
Decent Marmalade Blackbird
Medium
PredictDotLoan::auction() doesn't allow new lenders to specify a minimum interest rate
Summary
PredictDotLoan::auction()doesn't allow users to specify a minimum interest rate. Due to the dutch auction this doesn't seem an issue since the interest rate always increases the more time elapses. However, this can be an issue if the chain where the contracts are deployed suffers a reorg attack. This may place the transaction earlier than the actor (Alice) anticipated. Therefore the interest rate that Alice expected may be lower causing a loss for Alice, since they expected a higher interest rate to achieve with theirPredictDotLoan::auction()tx.According to the contest page, the protocol contracts may be deployed to compatible EVM chains, many of which are frequently reorganized.
Root Cause
PredictDotLoan::auction()doesn't allow actors to specify aminInterestRate.https://github.com/sherlock-audit/2024-09-predict-fun/blob/41e70f9eed3f00dd29aba4038544150f5b35dccb/predict-dot-loan/contracts/PredictDotLoan.sol#L561
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
No response
Impact
An actor (the new lender) that is participating on an auction may receive less interest than intended, suffering a loss due to the lower interest rate.
PoC
No response
Mitigation
Consider allowing actors to specify a
minInterestRatewhen they auction, and revert if the actual interest rate that is based on time elapsed is smaller than theminInterestRate.