Beedle - Oracle free perpetual lending

Summary

Some tokens take a transfer fee (STA, PAXG) and there are some that currently do not but might do so in the future (USDT, USDC). This can create an accounting problem in the contract.

Vulnerability Details

As per the information provided by the developer, the contract can handle any ERC20 tokens but there may arise some issues with tokens with fees on transfer like STA, PAXG, etc. For example, when taking the loan the borrower will specify the debt amount, when the debt amount is actually transferred to the borrower it will be less than expected but all the calculations like loanRation and Loan struct update will happen based on the debt amount provided by the user.

Let's consider the scenario where the transfer fee on tokens is 10%. The borrower will specify debt to 100 tokens but he will only receive 90 tokens all the calculations inside the contract will happen on the actual 100 tokens resulting in the incorrect calculation which will eventually result in the borrower's loss in this case.

Note that this is only one example of an issue related to tokens with transfer fees but there may the multiple instances of issues alike so it is important to handle all similar edge cases related to this type of token.

Impact

The allowance of the use of tokens with fees can create a lot of accounting problems in contracts which may cause the loss of user funds or system DOS.

Tools Used

manual review

Recommendations

If possible do not allow any weird tokens to be traded in the protocol.

Another option would be to add an extra calculation to check and handle all use cases for this type of fees bearing token. For example, in the case of the borrowing scenario, we can calculate the balance before the transfer and the balance after the transfer for the borrower account and only perform calculations on the difference.