Gentle Turquoise Shetland
High
Marketplace fees are only taken into account for a bid when a lender calls lenderAcceptBid, which allows the marketplace owner to freely modify the marketplace fee before the bid is actually accepted by the lender.
The fee for the bid is fetched from the marketplace’s details in lenderAcceptBid. In the time interval between a user submits the bid and a lender accepts the bid, the marketplace owner can change the fee without notifying the user. This can be used as a honeypot where one creates a marketplace with very low fees, waits for users to submit bids, changes the fee to a very high percent and accepts the bids, causing users to pay more than they think.
- Attacker needs to create a marketplace
- Victim needs to create a bid
No response
- [Attacker] Creates a marketplace with a low fee
- [Victim] Submits a bid
- [Attacker] Changes the marketplace fee to a higher amount
- [Attacker] Accepts the bid (either from their own contract or a new one added to the list of verified lenders)
- [Victim] Has a bid with a higher fee than expected
This issue allows attackers to gain additional tokens by tricking users into submitting a bid to a rogue marketplace with apparent low fees, which will have its fee changed further on without notifying the user.
No response
Introduce a new field in the Bid structure that stores the marketplace fee at the time of bid submission. Then, lenderAcceptBid reads the value directly from the structure.