098.md

Atomic Ceramic Flamingo

High

Malicious borrower can steal funds from lenders through frontrunning question price availability

Summary

Malicious borrowers can monitor the mempool for the question resolution transaction, and if it goes against their bet, they will frontrun the question resolution transaction to obtain loans with soon-to-be worthless collateral.

Root Cause

The functions acceptLoanOffer, acceptLoanOfferAndFillOrder, and matchProposals allow a borrower to take a loan of USDB/USDC using CTF tokens as collateral. The value of CTF tokens is based on the question they correspond to, similar to a bet.

For instance, if a question has a YES or NO answer, and the borrower has CTF tokens tied to the YES answer but the question is resolved as NO, the CTF tokens become worthless at the moment the question resolution becomes available.

Consequently, a malicious borrower can monitor the mempool for the question price availability transaction. If the resolution goes against their initial bet, they can frontrun the transaction by calling acceptLoanOffer, acceptLoanOfferAndFillOrder, or matchProposals to take a loan of valuable USDB/USDC against their soon-to-be worthless collateral.

This vulnerability allows borrowers to obtain loans with collateral that is about to become worthless.

Internal pre-conditions

• An active loan offer needs to exist in the system.

External pre-conditions

• The transaction for question resolution must be visible in the mempool (and the README states that the contracts can be deployed on "potentially any EVM chains with a prediction market that uses Polymarket's CTF exchange and neg risk protocol").

Attack Path

1. The malicious borrower monitors the mempool for incoming question resolution transactions.
2. When a resolution transaction is detected and is unfavorable to the borrower's position, they frontrun it with a call to matchProposals(), acceptLoanOffer, or acceptLoanOfferAndFillOrder.
3. The loan is issued to the borrower, with soon-to-be worthless CTF tokens as collateral.
4. The question resolution transaction executes, rendering the CTF tokens worthless.
5. The borrower defaults on the loan, keeping the borrowed USDB/USDC while the lender is left with worthless collateral.

Impact

The lenders suffer a complete loss of the loaned amount (USDB/USDC). The attackers gain this full amount by exploiting the timing of the question resolution. This vulnerability undermines the entire lending system, as it allows borrowers to obtain risk-free loans and profit at the expense of lenders.

PoC

No response

Mitigation

No response