Beedle - Oracle free perpetual lending

Summary

Arbitrary user can lock and drain all the collateral through buyLoan() forever.

Vulnerability Details

buyLoan() is used for buying a loan in a refinance auction. However, because it does not ensure that the loan’s collateralToken&loanToken and the pool collateralToken&loanToken are the same, funds can be locked forever.

First, Arbitrary user can set loan Token as random token he creates a pool, and buy a loan that have started auction. Since the buyLoan() does not check the consistency of loan&collateral token, Arbitrary can buy loan without reverting. After the buyLoan(), the owner of loan cannot get a collateral back. In order for a loan owner to reclaim their collateral, they must return the loan token, which is a random token created by an arbitrary user, and because of this, the loan owner cannot return the loan token, resulting in the revert of the repay() function.

Scenario

1. Alice started her auction of Chris’ Loan (LoanToken: WETH, Collateral: USDC)

2. Bob setPool() with random Token that he created which worth nothing (LoanToken: random1, Collateral: Random2)

3. Bob call buyLoan() with the parameter of poolId he just created.

4. Since there is no check for collateralToken&loanToken, Bob buys the loan with random Tokens that worth nothing

5. Chris want to repay the loan.

6. Since Chris does not have loan token(random1), he cannot repay his loan back.

7. The collateral is lock to contract.

8. If the Collateral Token is set to the same address, Bob is able to seize collateral after auction.

I illustrated one scenario, but there are many side effect of not checking collateral&loan Token are the same in loan and pool.

Impact

loan’s collateral can be locked forever, or even drain collateral funds from loan.

Tools Used

vs code

Recommendations

add this line of code in buyLoan()