Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

No limit on the amount of reward tokens that can be claimed

Cryptic Snake REACH

Summary

There is no limit on the amount of reward tokens that can be claimed. The balance could be drained.

Vulnerability Details

Reentrancy attack could occur in the claimable function of the Staking.sol. The function could be vulnerable to a reentrancy attack because it calls the updateFor function, which updates the user's index and claimable rewards. If an attacker were to call the claimable function while the updateFor function was still executing, the attacker could potentially withdraw more rewards than they are entitled to.

/// @notice claim rewards

function claim() external {

updateFor(msg.sender);

WETH.transfer(msg.sender, claimable[msg.sender]);

claimable[msg.sender] = 0;

balance = WETH.balanceOf(address(this));

}

/// @notice update the index for a user

/// @param recipient the user to update

function updateFor(address recipient) public {

update();

uint256 _supplied = balances[recipient];

if (_supplied > 0) {

uint256 _supplyIndex = supplyIndex[recipient];

supplyIndex[recipient] = index;

uint256 _delta = index - _supplyIndex;

if (_delta > 0) {

uint256 _share = _supplied * _delta / 1e18;

claimable[recipient] += _share;

}

} else {

supplyIndex[recipient] = index;

}

Impact

The balance could be drained

Tools Used

Manual code review

Recommendations

A way to prevent a reentrancy attack is to use the lock statement. The lock statement prevents other functions from being called while the lock statement is executing. This can be used to ensure that the updateFor function has finished executing before the claimable function withdraws rewards. For example, the following code would prevent a reentrancy attack using the lock statement:

function claimable() external {

updateFor(msg.sender);

lock();

WETH.transfer(msg.sender, claimable[msg.sender]);

claimable[msg.sender] = 0;

balance = WETH.balanceOf(address(this));

unlock();

}

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.