Operator can steal customers collateral via front running

[codehawks-bot]

Operator can steal customers collateral via front running

Severity

Medium Risk

Relevant GitHub Links

https://github.com/Cyfrin/2023-07-beedle/blob/main/src/Lender.sol#L232

Summary

An operator creates a pool and a borrower attempts to borrow from it. The operator front-runs the borrower's request with a call to setPool, altering the auctionLength to 1. Once the borrower's loan is initiated, the operator immediately puts the loan up for auction, lasting only one block (~12 seconds). The operator then seizes the loan in the next block, effectively stealing the collateral from the borrower.

Vulnerability Details

1. Operator creates a reasonable pool
2. Borrower calls borrow on pool
3. Operator front runs with a call to setPool
4. Operator changes the auctionLength to 1
5. Once the borrower borrows operator puts loan up for auction.
6. Since auctionLength is 1 the auction lasts for a single block. This is due to the fact that a block is executed ~12 seconds.
7. Then the operator calls seizeLoan in next block to steal collateral from borrower.

Impact

Customer can have his collateral taken unexpectedly

Tools Used

manual

Recommendations

Have a minimum auctionLength