Malicious borrower can arbitrage with acceptLoanOfferAndFillOrder()
Summary
This function is meant for borrowers to be able to borrow without any collateral, it also returns excess collateral Tokens to the borrowers. However this can be exploited, if the order's maker to taker amount ratio is better than the proposal's collateral to loan ratio.
It transfer back the increase(i.e collateral tokens from filling order) minus the required amount of collateral.
Internal pre-conditions
No response
External pre-conditions
For the malicious borrower to get free collateral tokens, the order on the exchange must have worse maker to taker amount ratio than the proposal's collateral to loan amount ratio. For example, if the proposal has 1.5 : 1 ratio and the order execute at the price 0f 0.50$( i.e 2 :1), the borrower can call the function to pocket the difference.
Attack Path
If there is an order with the amounts big enough to accept the loan and if the order's maker to taker ratio is worse than the proposal's collateral to loan ratio. The function will fill the order, get the collateral tokens, put the required collateral in the loan which would be less than the amount from filling the order, and transfer the excess to the borrower.
Impact
Since callers of this function can execute this at the cost of gas fees, the loans can be used up and excess collateral will be given to the caller.
Urban Jetblack Mantaray
High
Malicious borrower can arbitrage with acceptLoanOfferAndFillOrder()
Summary
This function is meant for borrowers to be able to borrow without any collateral, it also returns excess collateral Tokens to the borrowers. However this can be exploited, if the order's maker to taker amount ratio is better than the proposal's collateral to loan ratio.
Root Cause
This is the function that transfers the excess collateral tokens to borrower. https://github.com/sherlock-audit/2024-09-predict-fun/blob/main/predict-dot-loan/contracts/PredictDotLoan.sol#L265-L270
It transfer back the increase(i.e collateral tokens from filling order) minus the required amount of collateral.
Internal pre-conditions
No response
External pre-conditions
For the malicious borrower to get free collateral tokens, the order on the exchange must have worse maker to taker amount ratio than the proposal's collateral to loan amount ratio. For example, if the proposal has 1.5 : 1 ratio and the order execute at the price 0f 0.50$( i.e 2 :1), the borrower can call the function to pocket the difference.
Attack Path
If there is an order with the amounts big enough to accept the loan and if the order's maker to taker ratio is worse than the proposal's collateral to loan ratio. The function will fill the order, get the collateral tokens, put the required collateral in the loan which would be less than the amount from filling the order, and transfer the excess to the borrower.
Impact
Since callers of this function can execute this at the cost of gas fees, the loans can be used up and excess collateral will be given to the caller.
PoC
No response
Mitigation
No response