Careful Pistachio Bat
Medium
The protocol's lack of verification between the ownership of orders and loan offers allows attackers to exploit some users who provide liquidity to the protocol. An attacker can fill a user's order using their own loan offer without intending to repay, effectively locking the user's funds for the duration of the loan, without providing any collateral.
The protocol fails to verify that the owner of an order and the loan offer being filled are the same
-
Alice is attempting to earn profits on the Predict.fun protocol as a liquidity provider (LP) by maintaining open orders and loan offers.
-
Bob, however, is not interested in participating in lending activities.
-
Observing Alice's open orders and loan offers, he sees an opportunity.
-
Bob pays a minimal gas fee to fill Alice's order using his own loan offer.
-
As a result, Alice's CT tokens become locked in the protocol for the duration of the loan, which Bob has no intention of repaying.
-
Meanwhile, legitimate users who wish to borrow from Alice are unable to do so, as her funds are already tied up in the protocol.
This exposes some users to potential financial losses while the attacker remains risk-free, leading to locked collateral and disruption in market liquidity.
Enforce checks to ensure that the owner of an order and a corresponding loan offer are not the same before allowing any transaction that fills the order.