Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Inability to refinance within the same pool due to exceeding the pool balance

bernd

Summary

The refinance function in the Lender contract allows a borrower to refinance a loan to a new offer. However, when refinancing within the same pool, the pool balance may not be sufficient as the balance is checked against the full debt, not the additional debt.

Vulnerability Details

With the refinance function, a borrower can refinance the loan to a new offer (e.g., increasing or decreasing the debt). The loan can potentially be refinanced and assigned to a new pool, or the loan can be refinanced within the same pool. In either case, the pool balance is checked in line 616 to ensure the pool balance is sufficient to cover the total debt.

However, when refinancing within the same pool, the pool balance may not be sufficient as the balance is checked against the full debt, not the additional debt.

For instance, given a pool with an initial balance of 100 ether ETH. A borrower borrows 90 ether (pools balance is 10 ether after creating the loan) and, after a while, attempts to refinance and increase the debt by an additional 10 ether ETH, to a total debt of 100 ether ETH.

At the time of the refinance, the pool's balance is 10 ether ETH and checked if it's smaller than the loan's new debt in line 616. However, as debt is the total debt (90 ether + 10 ether = 100 ether), the check 10 ether < 100 ether evaluates to true and thus reverts with the LoanTooLarge error, reverting the refinance attempt.

Lender.sol#L616

591: function refinance(Refinance[] calldata refinances) public {

592: for (uint256 i = 0; i < refinances.length; i++) {

593: uint256 loanId = refinances[i].loanId;

594: bytes32 poolId = refinances[i].poolId;

595: bytes32 oldPoolId = keccak256(

596: abi.encode(

597: loans[loanId].lender,

598: loans[loanId].loanToken,

599: loans[loanId].collateralToken

600: )

601: );

602: uint256 debt = refinances[i].debt;

603: uint256 collateral = refinances[i].collateral;

604:

605: // get the loan info

606: Loan memory loan = loans[loanId];

607: // validate the loan

608: if (msg.sender != loan.borrower) revert Unauthorized();

609:

610: // get the pool info

611: Pool memory pool = pools[poolId];

612: // validate the new loan

613: if (pool.loanToken != loan.loanToken) revert TokenMismatch();

614: if (pool.collateralToken != loan.collateralToken)

615: revert TokenMismatch();

616: @> if (pool.poolBalance < debt) revert LoanTooLarge(); // @audit-info pool balance is potentially exceeded and reverts

617: if (debt < pool.minLoanSize) revert LoanTooSmall();

618: uint256 loanRatio = (debt * 10 ** 18) / collateral;

... // [...]

Impact

Refinancing a loan (i.e., increasing the debt) within the same pool potentially fails, leading to unutilized pool balance.

Tools Used

Manual Review

Recommendations

Consider removing the if statement checking the pool balance in line 616. In case the debt is larger than the current pool balance, updating the pool balance with the _updatePoolBalance function in line 636 would revert anyway.

Alternatively, consider only checking the pool balance for the additional debt in line 616.

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!