Beedle - Oracle free perpetual lending
BeedleFi
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Lender can front-run borrwer to reduce auction length

Juntao

Summary

Lender can front-run borrwer to reduce auction length.

Vulnerability Details

When a borrower borrows a loan, the borrower can only specify poolId, debt and collateral , but cannot specify the auction length:

struct Borrow {
/// @notice the pool ID to borrow from
bytes32 poolId;
/// @notice the amount to borrow
uint256 debt;
/// @notice the amount of collateral to put up
uint256 collateral;
}

This is problematic as lender can front-run and reduce the auction length.
This can be done by calling setPool(…) function.

Impact

Loan can be seized in a very short period of time before borrower can react and repay is auction length is very short.

Tools Used

Manual Review

Recommendations

Borrower should be allowed to specify interest rate and auction length when borrowing, transaction should be revert if the pool's interest rate or aution length is not as expected.

struct Borrow {
/// @notice the pool ID to borrow from
bytes32 poolId;
/// @notice the amount to borrow
uint256 debt;
/// @notice the amount of collateral to put up
uint256 collateral;
+ uint256 auctionLength;
}
function borrow(Borrow[] calldata borrows) public {
for (uint256 i = 0; i < borrows.length; i++) {
+ uint256 auctionLength = borrows[i].auctionLength;
+ if (auctionLength != auctionLength) revert;
}
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.