Beedle - Oracle free perpetual lending

Summary

The contract owner has centralized control over critical parameters, which contradicts the stated intention of not relying on extensive on-chain governance. The documentation suggests that after a 180-day waiting period, these parameters can be managed by BLUR governance in a decentralized manner. However, the contract does not implement any waiting period or on-chain governance, allowing the owner to make instant adjustments to key parameters.

Vulnerability Details

The vulnerability lies in the contract owner's ability to modify borrower fees, lender fees, and the fee receiver address without involving the proposed BLUR governance mechanism. The following functions are affected:

setLenderFee(uint256 _fee) external onlyOwner: Allows the contract owner to set the lender fee, with a check to prevent excessive fees.
setBorrowerFee(uint256 _fee) external onlyOwner: Allows the contract owner to set the borrower fee, with a check to prevent excessive fees.
setFeeReceiver(address _feeReceiver) external onlyOwner: Allows the contract owner to set the fee receiver address.

Impact

The existence of centralized control over these critical parameters introduces potential risks to the protocol's decentralization and may lead to concerns regarding user trust and fairness. If the contract owner misuses this authority or makes arbitrary adjustments, it could undermine the intended decentralized nature of the protocol.

Tools Used

vscode

Recommendations

• On-Chain Governance Implementation: Introduce an on-chain voting or proposal system that allows token holders to participate in decisions related to borrower fees, lender fees, and the fee receiver address.

• 180-Day Waiting Period: Ensure that governance proposals have a waiting period of 180 days before being approved, providing community members with ample time to discuss and evaluate proposals.