Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Unsafe transfer of loan tokens in `addToPool()`

flacko

Summary

When transferring loan tokens in Lender.sol#addToPool(), a pool owner (lender) might end up having more loan tokens on paper than what they've actually deposited.

Vulnerability Details

Some ERC20 tokens do not revert on failure in transfer calls (reference). The addToPool() function in Lender.sol is susceptible to the aforementioned discrepancy error between state and balances because it first calls _updatePoolBalance(), then it transfers loan tokens in.

Impact

If a pool owner transfers tokens in, but the IERC20(pools[poolId].loanToken).transferFrom() call fails, the pool balance will be incremented in state, but the tokens wouldn't be transferred in, which leaves an opportunity for the pool owner to withdraw more tokens from the Lender.sol contract than they've actually deposited since the Lender contract itself holds all deposits.

Tools Used

Manual review

Recommendations

Use safeTransfer or require that the transfer call actually returned true as a result.

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.