pkqs90 - Borrowers may receive less tokens than they expect due to fee change after submitting a bid.
Closed this issue · 0 comments
pkqs90
medium
Borrowers may receive less tokens than they expect due to fee change after submitting a bid.
Summary
Borrowers create a bid using submitBid
and specifies the principal amount. However, this amount is not what the borrowers receive, but what the lenders pay. Protocol fees and marketplace fees may increase after the bid is created, and when the bid is finally accepted by a lender, the amount that borrowers receive may be less than what they expected.
Vulnerability Detail
In the function lenderAcceptBid()
, we can see the amount that is sent to the borrower is amountToBorrower = bid.loanDetails.principal - amountToProtocol - amountToMarketplace;
. The fees sent to the protocol and marketplace is calculated on-the-fly, which means after the bid is created, these fee numbers may increase. Also, since the marketplace is decentralized, the marketplace owner may even try to front-run the lender and increase the marketplace fee.
These would all result in the borrower receiving less token amounts compared to when they created the bid. A simple solution to this is to add a "minTokensReceived" slippage parameter in the bid
data structure.
function lenderAcceptBid(uint256 _bidId)
external
override
pendingBid(_bidId, "lenderAcceptBid")
whenNotPaused
returns (
uint256 amountToProtocol,
uint256 amountToMarketplace,
uint256 amountToBorrower
)
{
...
// Transfer funds to borrower from the lender
amountToProtocol = bid.loanDetails.principal.percent(protocolFee());
amountToMarketplace = bid.loanDetails.principal.percent(
marketRegistry.getMarketplaceFee(bid.marketplaceId)
);
amountToBorrower =
bid.loanDetails.principal -
amountToProtocol -
amountToMarketplace;
//transfer fee to protocol
if (amountToProtocol > 0) {
bid.loanDetails.lendingToken.safeTransferFrom(
sender,
owner(),
amountToProtocol
);
}
//transfer fee to marketplace
if (amountToMarketplace > 0) {
bid.loanDetails.lendingToken.safeTransferFrom(
sender,
marketRegistry.getMarketFeeRecipient(bid.marketplaceId),
amountToMarketplace
);
}
//transfer funds to borrower
if (amountToBorrower > 0) {
bid.loanDetails.lendingToken.safeTransferFrom(
sender,
bid.receiver,
amountToBorrower
);
}
}
Impact
The borrower may receive less tokens than when they created the bid, and the borrower has no control over this.
Code Snippet
Tool used
Manual review
Recommendation
Add a "minTokensReceived" slippage parameter in the bid
data structure to ensure the borrower receives at least these amount of tokens.
Duplicate of #125