Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

In `refinance` function `pools[poolId].poolBalance` of new pool is updated twice and `debt` deducted two times.

0x11singh99

Summary

In refinance function of Lender.sol, when loan is being refinanced to new pool from old pool ,then pools[poolId].poolBalance of new pool is updated twice(at lines 636 and 698) that means debt deducted two times from pools[poolId].poolBalance.It should only be one time deduction not twice for same loanId in same iteration. Otherwise it will be a loss of debt amount of loanToken for new pool lender.

Vulnerability Details

When loan is being refinanced to new pool from old pool then the poolBalance of both pools should be updated. For new pool where the loan is refinanced to debt should be deducted from pools[poolId].poolBalance once. But here debt is being deducted twice from pools[poolId].poolBalance first one is using _updatePoolBalance function at line 636 where the new poolBalance will updated in storage for passed poolId and new poolBalance after deducting debt ,second time at line 698 directly deducting debt from pools [poolId].poolBalance,and that is the problem here deducting debt two times. Because of this lender of the new pool will be in loss of debt amount of loanToken will never get them for this new pool where the loan refinanced to using refinance function. For all the loans that are passed in refinance function all lenders will be in loss of each debt amount different for each loan that is being refinanced to new pools respectively.

Vulnerable Code : src/Lender.sol#L636 src/Lender.sol#L698

In refinance function.

File : src/Lender.sol

635: // now lets deduct our tokens from the new pool

636: _updatePoolBalance(poolId, pools[poolId].poolBalance - debt);

...

698: pools[poolId].poolBalance -= debt;

_updatePoolBalance Function

File: src/Lender.sol

732: function _updatePoolBalance(bytes32 poolId, uint256 newBalance) internal {

733: pools[poolId].poolBalance = newBalance;

734: emit PoolBalanceUpdated(poolId, newBalance);

735: }

Impact

It will be a loss of debt amount of loanToken tokens for the new pool lender in that pool where the loan refinanced to. And these tokens will be stuck in Lender.sol contract as lender can't also withdraw more than his poolBalance.

Tools Used

Manual Review

Recommendations

In refinance function, deduct debt from pools[poolId].poolBalance one time for loan refinancing. For this remove either line 636 or line 698 from refinance function code. Removing line 698 is better as it is not using _updatePoolBalance function for updating poolBalance. So to maintain consistency in updating poolBalance remove line 698.

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!