Merry Lead Orangutan
High
The way it currently works amountToMarketplace is calculated in lenderAcceptBid() based on the current market fee which can be changed by the marketplace owner between the time a user submits a bid and the time the lender accepts it, resulting in loss of funds for the user that submitted the bid.
In TellerV2.sol:517 the amountToMarketplace is calculated using the current market fee which can be changed at any time by the market owner and it allows a market owner using updateMarketSettings() in MarketRegistry.sol:503 to trick the user into thinking the fee is very low and then change it after the bid is placed, if the market owner is also a lender it can increase the fee and accept the bid in the same transaction leaving the user without any chance of canceling the bid after the fee increase. The market owner can just as well have a secondary wallet or a deployed contract that is a lender and use that to hide his malicious intentions.
No response
No response
- User finds a market with a low fee to bid on
- Marketplace owner changes the fee to max fee amount using
updateMarketSettings() - Lender accepts the bid using
lenderAcceptBid()
Users can lose funds (up to max market fee of 10%) to the market because the market fee can be modified before the lender accepts it
No response
The market fee can be placed inside the bid structure and set once the user uses submitBid() as to not allow the market owner to change it after the user submitted the bid
Other less practical mitigation: set up a time delay between when the market owner can update the market settings