Beedle - Oracle free perpetual lending
BeedleFi
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Malicious Borrower can hijack the auction process and keep the assets stuck in the contract forever

Bauer

Summary

Lender calls the startAuction(), and no one buy loan in auction length. Lender tries to seize the loan. But a malicious borrower can call the refinance() function with the same original offer and overwrite the defaulted state of loan. This means lender has to start an auction again. A persistent borrower can cause the assets to be locked forever in the contract without lender being able to get it.

Vulnerability Details

If the Borrower doesn't return the loan token, the lender can call the startAuction() function to start an auction to see if someone is interested in returning his loan. If no one is interested in it, after the auction period ends, the lender can seize the loan. But this can be interrupted by the borrower by calling the refinance() function. He can pass the same original offer to which the loan is connected to, which will reset the loan by updating the loan information( loans[loanId].auctionStartTimestamp).

loans[loanId].collateral = collateral;
// update loan interest rate
loans[loanId].interestRate = pool.interestRate;
// update loan start timestamp
loans[loanId].startTimestamp = block.timestamp;
// update loan auction start timestamp
loans[loanId].auctionStartTimestamp = type(uint256).max;
// update loan auction length
loans[loanId].auctionLength = pool.auctionLength;
// update loan lender
loans[loanId].lender = pool.lender;
// update pool balance
pools[poolId].poolBalance -= debt;

Impact

Assets may be locked in the contract

Tools Used

Vscode

Recommendations

Disable the refinance function when the auction is undergoing.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.