deadrxsezzz
high
Lenders can steal all of the borrowers' tokens.
When creating a bid, users are giving their terms on what amount they want to borrow and what interest are they paying over said timeframe. However, before accepting a bid, a lender can set the market fee to 10 000 - protocolFee and then accept the bid. The borrower will not receive any tokens but his collateral will go into escrow and he will have to pay the full loan + interest in order to get it back, despite not receiving any loan.
Lenders will get all of their loan stolen
Manual Review
When creating a bid, let the user choose the highest market fee they are willing to pay. When the lender accepts the bid, make sure the current market fee is <= the market fee the borrower is willing to pay.