Beedle - Oracle free perpetual lending
BeedleFi
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Lender.sol#_calculateInterest() - Using a token with low decimals will result in 0 interest and fees in some cases

0xdeth

Summary

Using a token with low decimals will result in 0 interest and fees in some cases

Vulnerability Details

Let's look into the _calculateInterest function and specifically this line interest = (l.interestRate * l.debt * timeElapsed) / 10000 / 365 days;
This equation will round down to zero if the the total decimals from the left side of the equation are smaller than the right side.
Examples of when this can occur:
l.interestRate and timeElapsed are small numbers. In the example case, the debt can be anywhere from 100 to 999 tokens.

function testSmallInterestRateAndSmallTimeElapsed(uint256 debt) public {
vm.assume(debt > 100 * 10 ** 6 && debt <= 1000 * 10 ** 6);
assertGt((10 * debt * 1 minutes) / 10000 / 365 days, 0);
}

Higher interestRate and timeElapsed, but using a token with even fewer decimals.

function testSmallDebt(uint256 debt) public {
vm.assume(debt > 10 * 10 ** 2 && debt <= 100 * 10 ** 2);
assertGt((1000 * debt * 1 days) / 10000 / 365 days, 0);
}

Both the tests should fail with some numbers between the ones in the vm.assume.

Impact

Loss of funds for the protocol and the lender of the pool.

Tools Used

Manual review
Foundry (fuzz)

Recommendations

The simplest way to fix this is to add a whitelist for tokens, or add a way to add more precision in the equation like a scaling factor.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.