Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Missing Check for Matching Collateral Tokens in "buyLoan" Function in Lender.sol

b353n

Summary

This audit report provides an assessment of the "buyLoan" function in the Lender.sol smart contract. It has been identified that the function lacks a check to ensure that the collateral token of the loan matches the collateral token of the Pool. This vulnerability could enable an attacker to create a pool with any collateral token, and when a borrower tries to repay the loan, they may lose a significant amount of money due to mismatches in collateral tokens.

Vulnerability Details

The "buyLoan" function in the Lender.sol contract allows users to purchase a loan from the Pool by providing the required loanId. However, the function does not verify that the collateral token of the loan matches the collateral token of the Pool. As a result, an attacker could exploit this vulnerability by creating a pool with any collateral token and subsequently creating loans within that pool using a different collateral token. When a borrower attempts to repay the loan, the mismatched collateral tokens could lead to a significant loss of funds for the borrower.

Impact

The absence of a check to match collateral tokens in the "buyLoan" function creates a loophole that could be exploited by attackers. An attacker could set up a pool with a different collateral token and issue loans with that collateral token. When borrowers attempt to repay the loan, the mismatched collateral tokens may cause a significant loss of funds for the borrowers, as they may not be able to retrieve their collateral.

Tools Used

VSCode

Recommendations

To address the vulnerability, it is recommended to implement a check in the "buyLoan" function to ensure that the collateral token of the loan matches the collateral token of the IPool. This can be achieved by comparing the collateral tokens before proceeding with the loan purchase transaction.

if (pool.collateralToken != loan.collateralToken)

revert TokenMismatch();

By adding this check, the contract will prevent loans from being purchased with mismatched collateral tokens, mitigating the risk of financial losses for borrowers due to token discrepancies.

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.