Beedle - Oracle free perpetual lending
BeedleFi
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Rounding Error can cause loanRatio to be surpassed during Refinance

BanditSecurity

Vulnerability Details

One of the fuzz tests in the pre-existing Fuzzing.t.sol actually fails if you are lucky, or you do enough runs! This first occurred in Refinance during my test funds, but the code that causes this is found in borrow and giveLoan functions as well:

uint256 loanRatio = (debt * 10 ** 18) / collateral;
if (loanRatio > pool.maxLoanRatio) revert RatioTooHigh();

Failing tests:

Encountered 1 failing test in test/Fuzzing.t.sol:LenderTest
[FAIL. Reason: Error != expected error: NH{q != 0x971a8035 Counterexample: calldata=0xa7c8953100000000000000000000000000000000000000000000001b1ae4d6e2ef50000100000000000000000000000000000000000000000000000d8d726b7177a7ff84, args=[500000000000000000001 [5e20], 249999999999999999876 [2.499e20]]] testFuzz_refinance(uint256,uint256) (runs: 143, μ: 815412, ~: 808483)

This was the testFuzz_refinance test. This can be verified by subsituting the two args for the inputs in the testFuzz_refinance() yourself.

The part of the fuzz test that failed was:

} else if (debt > collateral*2) {
vm.expectRevert(RatioTooHigh.selector);
lender.refinance(rs);

This occurs when a rounding error underestimates the loanRatio of the debts. The fuzz tests do not run enough times which makes it miss this error and breaking of the fuzzing invariants that the protocol thought couldn't be broken.

Impact

The loanRatio can be slightly surpassed/broken by calling refinance() given the correct inputs. A malicious user could use this to create a borrow which is slightly worth more than what is lent in the right circumstances.

Tools Used

Foundry Fuzz testing

Recommendations

Round up in division to ensure the loan ratio cannot be broken.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.