Beedle - Oracle free perpetual lending
BeedleFi
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Reentrancy in repay in Lender.sol

mahdirostami

Summary

repay function in Lender.sol file, doesn't follow the CEI pattern and updates loans after an external call.

Vulnerability Details

The implementation does not strictly follow the Checks-Effects-Interactions (CEI) pattern.
Malicious attackers and unsuspecting ecosystem participants can borrow a loan with ERC-777 tokens (which have a callback that can take control) as collateral and repay a loan and exploit this vulnerability.
A malicious user can drain a contract from loan.collateralToken with the following steps.

  1. A user borrow a loan.

  2. repay a loan

  3. contract transfer collateral to loan.borrower

  4. as the loans isn't updated.

  5. A user reenter again and get collateral again

IERC20(loan.collateralToken).transfer(
loan.borrower,
loan.collateral
);
emit Repaid(
msg.sender,
loan.lender,
loanId,
loan.debt,
loan.collateral,
loan.interestRate,
loan.startTimestamp
);
// delete the loan
delete loans[loanId];

Impact

  1. drain a contract and steel all loan.collateralToken from the contract

  2. change Pool outstanding deb

  3. change PoolBalance

Tools Used

manual review

Recommendations

follow CEI pattern and update state changes before external call.

+ // delete the loan
+ delete loans[loanId];
// transfer the loan tokens from the borrower to the pool
IERC20(loan.loanToken).transferFrom(
msg.sender,
@@ -339,8 +341,6 @@ contract Lender is Ownable {
loan.interestRate,
loan.startTimestamp
);
- // delete the loan
- delete loans[loanId];

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.