Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Fees.sol: A portion of the fee may be captured for tokens for which no 0.3% pool exists.

pengun

Summary

Fee.sol's sellProfits swaps tokens in a pool on uniswap. Fee is set to 3000, but there may not be a pool with a fee of 3000. In this case, a malicious user can intentionally create a pool with a high price of WETH and steal part of the fee.

Vulnerability Details

ISwapRouter.ExactInputSingleParams memory params = ISwapRouter

.ExactInputSingleParams({

tokenIn: _profits,

tokenOut: WETH,

fee: 3000, // <= fee is fixed

recipient: address(this),

deadline: block.timestamp,

amountIn: amount,

amountOutMinimum: 0,

sqrtPriceLimitX96: 0

});

The sellProfits in Fees.sol has a fixed fee of 3000. In Uniswap V3, there are four fee tiers: 1%, 0.3%, 0.05%, and 0.01%, and 3000 means a 0.3% pool. In this case, the 0.3% pool may not exist, and a malicious user who knows this can set the price of WETH high enough to create a pool and call sellProfits. As a result, WETH will be exchanged at a more expensive rate and the malicious user will profit.

Impact

Fees that should be distributed to Stakers can be partially stolen by malicious users.

Tools Used

VS Code

Recommendations

Modify function to takes a fee as an argument and can only be called by authorized users.

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.