Skip to content

Latest commit

 

History

History
42 lines (24 loc) · 1.88 KB

File metadata and controls

42 lines (24 loc) · 1.88 KB

Gentle Turquoise Shetland

High

Marketplace fees are not bound to bid at submission time, which might cause unexpected fees

Summary

Marketplace fees are only taken into account for a bid when a lender calls lenderAcceptBid, which allows the marketplace owner to freely modify the marketplace fee before the bid is actually accepted by the lender.

Root Cause

The fee for the bid is fetched from the marketplace’s details in lenderAcceptBid. In the time interval between a user submits the bid and a lender accepts the bid, the marketplace owner can change the fee without notifying the user. This can be used as a honeypot where one creates a marketplace with very low fees, waits for users to submit bids, changes the fee to a very high percent and accepts the bids, causing users to pay more than they think.

Internal pre-conditions

  1. Attacker needs to create a marketplace
  2. Victim needs to create a bid

External pre-conditions

No response

Attack Path

  1. [Attacker] Creates a marketplace with a low fee
  2. [Victim] Submits a bid
  3. [Attacker] Changes the marketplace fee to a higher amount
  4. [Attacker] Accepts the bid (either from their own contract or a new one added to the list of verified lenders)
  5. [Victim] Has a bid with a higher fee than expected

Impact

This issue allows attackers to gain additional tokens by tricking users into submitting a bid to a rogue marketplace with apparent low fees, which will have its fee changed further on without notifying the user.

PoC

No response

Mitigation

Introduce a new field in the Bid structure that stores the marketplace fee at the time of bid submission. Then, lenderAcceptBid reads the value directly from the structure.