yy
medium
ou0qa1
medium
There is no checking for variables such as Daily interest rate and Duration in submitBid ().
The platform alpha.app.teller.org, the borrower can only request loan in specific Daily interest rate and Duration. The Daily interest rate is up to 45% and the Duration is up to 28 days.
Based on the Code Snippet, there is no checking for _lendingToken, _marketplaceId, _principal, _duration , _APR in the submitBid ().
For example, it works find if the duration up to 5360 days (~almost 14 years)
function testSubmitBid() public {
tellerV2.submitBid(
address(1), // lending token
1, // market ID
0, // principal
5365 days, // duration
20_00, // interest rate
"", // metadata URI
address(this) // receiver
);
}
or it works find if the interest rate is zero
function testSubmitBid() public {
tellerV2.submitBid(
address(1), // lending token
1, // market ID
0, // principal
365 days, // duration
0, // interest rate
"", // metadata URI
address(this) // receiver
);
}
The borrower could set extremely low or high APR. If the borrower might submit a bid with an extremely low APR, making it unprofitable for lenders, or an extremely high APR, which might be hard to pay back.
https://github.com/sherlock-audit/2023-03-teller/blob/main/teller-protocol-v2/packages/contracts/contracts/TellerV2.sol#L272 https://github.com/sherlock-audit/2023-03-teller/blob/main/teller-protocol-v2/packages/contracts/contracts/TellerV2.sol#L303
Manual Review
Restrict the duration, APR range.