Beedle - Oracle free perpetual lending
BeedleFi
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Lender.sol#buyLoan() - A loan can be bought with mismatching tokens.

0xdeth

Summary

A loan can be bought with mismatching loanToken.

Vulnerability Details

Currently there is no check if loanToken of the buyer's pool are the same as the loan's loanToken. This means someone can use a much cheaper token to buy a loan for a much more expensive token.

Example:
Alice creates a pool with a loanToken = WETH.
Bob borrows 1 WETH from Alice's pool and receives his WETH.
Alice decides to auction off Bob's loan and calls startAuction.
Lizzy (malicious) creates her own pool with a loanToken = USDC.
Since the protocols doesn't use an Oracle and the value of the actual token isn't taken into account when calling buyLoan, Lizzy can buy Alice's loan for only 1 USDC, since only token amounts are taken into consideration.

Impact

Loss of funds for the original lender.

Tools Used

Manual review

Recommendations

Add a check in buyLoan similiar to the one in giveLoan.

function buyLoan(uint256 loanId, bytes32 poolId) public {
// get the loan info
Loan memory loan = loans[loanId];
// validate the loan
if (loan.auctionStartTimestamp == type(uint256).max)
revert AuctionNotStarted();
if (block.timestamp > loan.auctionStartTimestamp + loan.auctionLength)
revert AuctionEnded();
// calculate the current interest rate
// Check if the tokens are matchibg.
if (pools[poolId].loanToken != loan.loanToken) revert TokenMismatch();
if (pools[poolId].collateralToken != loan.collateralToken)
revert TokenMismatch();
...

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.