Rate limiter can be abused
Description
The protocol uses a single rate limiter for the entire protocol. The rate limiter limits the amount of withdrawn coins in a given time window. This includes all supported coin types but not cTokens. There is no fee for depositing and immediately withdrawing.
Impact
It is possible to halt withdrawals of other users by intentionally filling the rate limit by depositing and immediately withdrawing repeatedly. The attack can potentially be made less costly through flash loans. The exact cost of the attack would depend on the gas cost at the time of the attack and the cheapest available flash loans.
However, we note that the administrator can manually reset the rate limit if it is filled and potentially even completely disable it by setting the rate limit to a very large value.
Recommendations
We recommend that the rate-limiter mechanism be redesigned.