pkqs90 - Borrowers may receive less tokens than they expect due to fee change after submitting a bid.

Question

pkqs90 - Borrowers may receive less tokens than they expect due to fee change after submitting a bid.

Closed this issue 2 months ago · 0 comments

pkqs90

medium

Borrowers may receive less tokens than they expect due to fee change after submitting a bid.

Summary

Borrowers create a bid using submitBid and specifies the principal amount. However, this amount is not what the borrowers receive, but what the lenders pay. Protocol fees and marketplace fees may increase after the bid is created, and when the bid is finally accepted by a lender, the amount that borrowers receive may be less than what they expected.

Vulnerability Detail

In the function lenderAcceptBid(), we can see the amount that is sent to the borrower is amountToBorrower = bid.loanDetails.principal - amountToProtocol - amountToMarketplace;. The fees sent to the protocol and marketplace is calculated on-the-fly, which means after the bid is created, these fee numbers may increase. Also, since the marketplace is decentralized, the marketplace owner may even try to front-run the lender and increase the marketplace fee.

These would all result in the borrower receiving less token amounts compared to when they created the bid. A simple solution to this is to add a "minTokensReceived" slippage parameter in the bid data structure.

    function lenderAcceptBid(uint256 _bidId)
        external
        override
        pendingBid(_bidId, "lenderAcceptBid")
        whenNotPaused
        returns (
            uint256 amountToProtocol,
            uint256 amountToMarketplace,
            uint256 amountToBorrower
        )
    {
    	...

        // Transfer funds to borrower from the lender
        amountToProtocol = bid.loanDetails.principal.percent(protocolFee());
        amountToMarketplace = bid.loanDetails.principal.percent(
            marketRegistry.getMarketplaceFee(bid.marketplaceId)
        );
        amountToBorrower =
            bid.loanDetails.principal -
            amountToProtocol -
            amountToMarketplace;

        //transfer fee to protocol
        if (amountToProtocol > 0) {
            bid.loanDetails.lendingToken.safeTransferFrom(
                sender,
                owner(),
                amountToProtocol
            );
        }

        //transfer fee to marketplace
        if (amountToMarketplace > 0) {
            bid.loanDetails.lendingToken.safeTransferFrom(
                sender,
                marketRegistry.getMarketFeeRecipient(bid.marketplaceId),
                amountToMarketplace
            );
        }

        //transfer funds to borrower
        if (amountToBorrower > 0) {
            bid.loanDetails.lendingToken.safeTransferFrom(
                sender,
                bid.receiver,
                amountToBorrower
            );
        }
    }

Impact

The borrower may receive less tokens than when they created the bid, and the borrower has no control over this.

Code Snippet

https://github.com/sherlock-audit/2024-04-teller-finance/blob/main/teller-protocol-v2-audit-2024/packages/contracts/contracts/TellerV2.sol#L524-L531

Tool used

Manual review

Recommendation

Add a "minTokensReceived" slippage parameter in the bid data structure to ensure the borrower receives at least these amount of tokens.

Duplicate of #125