0xDjango - Marketplace Fee for loan can be updated any time after bid until lender accepts

Question

0xDjango - Marketplace Fee for loan can be updated any time after bid until lender accepts

Closed this issue 2 months ago · 0 comments

0xDjango

high

Marketplace Fee for loan can be updated any time after bid until lender accepts

Summary

A user creates a bid for a loan using submitBid(). Upon submitting the bid, the marketplace fee is not stored. Instead, when the lender accepts the bid using lenderAccetBid(), the marketplace fee is queried from the MarketplaceRegistry contract and used to calculate the amount of principal owed to the borrower. This fee can be updated up to 100% by the marketplace owner at any time between the bid submission to loan acceptance.

Vulnerability Detail

The marketplace fee should be written to the loan's storage to ensure that the updates to the fee cannot affect a bid retroactively. The marketplace owner can update the fee so large that the borrower receives 0 principal.

        amountToMarketplace = bid.loanDetails.principal.percent(
            marketRegistry.getMarketplaceFee(bid.marketplaceId)
        );
        amountToBorrower =
            bid.loanDetails.principal -
            amountToProtocol -
            amountToMarketplace;

Impact

Borrowers can receive 0-value loans due to updates to the marketplace fee percent, even after their bid has been submitted.

Code Snippet

https://github.com/sherlock-audit/2024-04-teller-finance/blob/main/teller-protocol-v2-audit-2024/packages/contracts/contracts/TellerV2.sol#L525-L531

Tool used

Manual Review

Recommendation

Write the marketplace fee percent to loan storage at the time of bid submission, and ensure that the borrower agrees to the terms.

Duplicate of #125