Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Auction mechanism can be abused to result in user collateral loss

abarbatei

Summary

As it is implemented, the auction mechanism can be abused to result in either user collateral loss or forcing user to accept a disadvantaged rate loan or risk losing his collateral.

The function startAuction is responsible for starting an auction.
Some concerning details about the auction:

it can be started by the lender at any point after borrower accepted the loan offer
the auction length is known at start but can be any value, example a few hours, after which the collateral is lost in favor of the lender

Because of this implementation, a malicious group can flood users with very advantageous loan offers, with kind-of-short auction lengths and simply start the auction exactly after users takes the loan. Repeat this operation until users makes a mistake and accepts a shorter period and loses his collateral or is coerced into accepting a bad loan.

Vulnerability Details

A theoretical POC follows:

alice wants to borrow some collateral
she may take just a small loan offer
bob offers a very advantageous loan rate, knocking out all other offers (or actually being the only one, if a not that popular ERC20 token is used)
bob also makes several different advantageous loan offers, all just slightly worse then the precedent, so as to fill the top of "best rates UI", all from different addresses
alice sees this offer, it seems suspicious but as she sees that there are other similar offers, she accepts, and uses the loaned tokens for her intender purpose
bob instant starts an auction

From this point, there are several scenarios that may lead to alice losing the collateral:

alice was not aware that her loan was instantly auctioned, or blocked the loaned capital already or simply leaves the computer for loan time, she loses her collateral
alice sees the auction but, as there are also several other loan offers, similar to this, she waits until the end of the auction time and attempts to accept them. Regardless of how much she waits, she tries to accept them and fails, because the bob front-runs' alice's refinance request and removes borrowing amount from the phishing loan pools (controlled by him).

This leads to alice panicking while going through all the good offers eventually losing the collateral or lead to her accepting a higher loan rate than intender

Impact

Borrower risks losing his collateral or is forced into accepting less favorable offers.

Tools Used

Manual review

Recommend Mitigation

Add a minimum wait time, enforced at a protocol level, after which the auction can be started.
Add a minimum auction time because, as it is, users can be phished into accepting a good offer and instantly lose their collateral.

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.