0xDjango - Marketplace Fee for loan can be updated any time after bid until lender accepts
Closed this issue · 0 comments
0xDjango
high
Marketplace Fee for loan can be updated any time after bid until lender accepts
Summary
A user creates a bid for a loan using submitBid()
. Upon submitting the bid, the marketplace fee is not stored. Instead, when the lender accepts the bid using lenderAccetBid()
, the marketplace fee is queried from the MarketplaceRegistry
contract and used to calculate the amount of principal owed to the borrower. This fee can be updated up to 100% by the marketplace owner at any time between the bid submission to loan acceptance.
Vulnerability Detail
The marketplace fee should be written to the loan's storage to ensure that the updates to the fee cannot affect a bid retroactively. The marketplace owner can update the fee so large that the borrower receives 0 principal.
amountToMarketplace = bid.loanDetails.principal.percent(
marketRegistry.getMarketplaceFee(bid.marketplaceId)
);
amountToBorrower =
bid.loanDetails.principal -
amountToProtocol -
amountToMarketplace;
Impact
- Borrowers can receive 0-value loans due to updates to the marketplace fee percent, even after their bid has been submitted.
Code Snippet
Tool used
Manual Review
Recommendation
Write the marketplace fee percent to loan storage at the time of bid submission, and ensure that the borrower agrees to the terms.
Duplicate of #125