Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Incorrect distribution of rewards to users.

0xbugalba

Summary

The issue lies in the contract's failure to consider user withdrawals when calculating the rewards index. This means that if a user withdraws their funds, the contract won't adjust the rewards index accordingly.

POC (Proof of Concept):

function testUpdateExploit() public {

// Obtenemos el índice actual

uint256 originalIndex = staking.index();

console.log("OI", originalIndex);

// Depósitos para aumentar el supply total

uint depositAmount = 1 ether;

deal(address(this), depositAmount);

collateralToken.approve(address(staking), depositAmount);

loanToken.approve(address(staking), depositAmount);

staking.deposit(depositAmount);

// Llamamos a update

staking.update();

uint256 AfterIndex = staking.index();

console.log("OIAfter", AfterIndex);

//Verificamos que el índice fue manipulado

assertEq(AfterIndex, originalIndex);

}

EXPLANATION POC:

At the start the index is 0
Funds are deposited (1 ETH)
Check that the index is still 0 (no update)
Update() is called
Check that the index is still at 0 after update()

Vulnerability Details

The problem is that the logic in update() has a bug and is not calculating the new index correctly when there are deposits.

This means that if funds are then withdrawn, the index would remain at 0 instead of decreasing to reflect the reduction in total funds deposited.

To summarise:

The index does not increase correctly with deposits
The index does not decrease with withdrawals
This would result in an incorrect distribution of rewards, allowing some users to benefit more than others unfairly.

Impact

This could lead to an unfair distribution of rewards among staking participants. The solution would be to adjust the rate when there are withdrawals, not only when there are deposits.

Tools Used

Recommendations

To fix this vulnerability, the update function must take into account changes in the total supply of staking tokens when calculating the reward rate. This way, the contract will calculate rewards accurately and fairly for all users.

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.