Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Unbounded Array Looping Vulnerability in multiple Function

serverconnected

Summary

The protocol has various functions which let users passed unbounded array which could be a potential vulnerability

Vulnerability Details

usage of unbounded array could potentially lead to Denial-of-Service (DoS) attacks. The functions does not check the length of the arrays passed as parameters, which could result in excessive gas consumption and block the execution of other essential transactions, leading to DoS attacks.

Impact

function giveLoan(

uint256[] calldata loanIds,

bytes32[] calldata poolIds

) external {

// @audit-issue no array length check, can lead to DOS attacks

for (uint256 i = 0; i < loanIds.length; i++) {

uint256 loanId = loanIds[i];

bytes32 poolId = poolIds[i];

// get the loan info

Loan memory loan = loans[loanId];

// validate the loan

if (msg.sender != loan.lender) revert Unauthorized();

// @audit-issue no checks to see if pool exist

// get the pool info

Pool memory pool = pools[poolId];

// validate the new loan

if (pool.loanToken != loan.loanToken) revert TokenMismatch();

if (pool.collateralToken != loan.collateralToken)

revert TokenMismatch();

// new interest rate cannot be higher than old interest rate

if (pool.interestRate > loan.interestRate) revert RateTooHigh();

// auction length cannot be shorter than old auction length

if (pool.auctionLength < loan.auctionLength) revert AuctionTooShort();

// calculate the interest

(

uint256 lenderInterest,

uint256 protocolInterest

) = _calculateInterest(loan);

uint256 totalDebt = loan.debt + lenderInterest + protocolInterest;

if (pool.poolBalance < totalDebt) revert PoolTooSmall();

if (totalDebt < pool.minLoanSize) revert LoanTooSmall();

uint256 loanRatio = (totalDebt * 10 ** 18) / loan.collateral;

if (loanRatio > pool.maxLoanRatio) revert RatioTooHigh();

// update the pool balance of the new lender

_updatePoolBalance(poolId, pool.poolBalance - totalDebt);

pools[poolId].outstandingLoans += totalDebt;

// update the pool balance of the old lender

bytes32 oldPoolId = getPoolId(

loan.lender,

loan.loanToken,

loan.collateralToken

);

_updatePoolBalance(

oldPoolId,

pools[oldPoolId].poolBalance + loan.debt + lenderInterest

);

pools[oldPoolId].outstandingLoans -= loan.debt;

// transfer the protocol fee to the governance

// @audit-issue no txn status checks and multiple transfer functions

IERC20(loan.loanToken).transfer(feeReceiver, protocolInterest);

emit Repaid(

loan.borrower,

loan.lender,

loanId,

loan.debt + lenderInterest + protocolInterest,

loan.collateral,

loan.interestRate,

loan.startTimestamp

);

// update the loan with the new info

loans[loanId].lender = pool.lender;

loans[loanId].interestRate = pool.interestRate;

loans[loanId].startTimestamp = block.timestamp;

loans[loanId].auctionStartTimestamp = type(uint256).max;

loans[loanId].debt = totalDebt;

emit Borrowed(

loan.borrower,

pool.lender,

loanId,

loans[loanId].debt,

loans[loanId].collateral,

pool.interestRate,

block.timestamp

);

}

function startAuction(uint256[] calldata loanIds) public {

// @audit-issue no array length check, can lead to DOS attacks

for (uint256 i = 0; i < loanIds.length; i++) {

uint256 loanId = loanIds[i];

// get the loan info

Loan memory loan = loans[loanId];

// validate the loan

if (msg.sender != loan.lender) revert Unauthorized();

if (loan.auctionStartTimestamp != type(uint256).max)

revert AuctionStarted();

// set the auction start timestamp

loans[loanId].auctionStartTimestamp = block.timestamp;

emit AuctionStart(

loan.borrower,

loan.lender,

loanId,

loan.debt,

loan.collateral,

block.timestamp,

loan.auctionLength

);

}

function seizeLoan(uint256[] calldata loanIds) public {

// @audit-issue no array length check, can lead to DOS attacks

// @audit-issue no access- control

for (uint256 i = 0; i < loanIds.length; i++) {

uint256 loanId = loanIds[i];

// get the loan info

Loan memory loan = loans[loanId];

// validate the loan

if (loan.auctionStartTimestamp == type(uint256).max)

revert AuctionNotStarted();

if (

block.timestamp <

loan.auctionStartTimestamp + loan.auctionLength

) revert AuctionNotEnded();

// calculate the fee

uint256 govFee = (borrowerFee * loan.collateral) / 10000; //converting to percentage

// transfer the protocol fee to governance

IERC20(loan.collateralToken).transfer(feeReceiver, govFee);

// transfer the collateral tokens from the contract to the lender

IERC20(loan.collateralToken).transfer(

loan.lender,

loan.collateral - govFee

);

bytes32 poolId = keccak256(

abi.encode(loan.lender, loan.loanToken, loan.collateralToken)

);

// update the pool outstanding loans

pools[poolId].outstandingLoans -= loan.debt;

emit LoanSiezed(

loan.borrower,

loan.lender,

loanId,

loan.collateral

);

// delete the loan

delete loans[loanId];

}

function refinance(Refinance[] calldata refinances) public {

// @audit-issue no array length check, can lead to DOS attacks

for (uint256 i = 0; i < refinances.length; i++) {

uint256 loanId = refinances[i].loanId;

bytes32 poolId = refinances[i].poolId;

bytes32 oldPoolId = keccak256(

abi.encode(

loans[loanId].lender,

loans[loanId].loanToken,

loans[loanId].collateralToken

)

);

uint256 debt = refinances[i].debt;

uint256 collateral = refinances[i].collateral;

// get the loan info

Loan memory loan = loans[loanId];

// validate the loan

if (msg.sender != loan.borrower) revert Unauthorized();

// get the pool info

Pool memory pool = pools[poolId];

// validate the new loan

if (pool.loanToken != loan.loanToken) revert TokenMismatch();

if (pool.collateralToken != loan.collateralToken)

revert TokenMismatch();

if (pool.poolBalance < debt) revert LoanTooLarge();

if (debt < pool.minLoanSize) revert LoanTooSmall();

uint256 loanRatio = (debt * 10 ** 18) / collateral;

if (loanRatio > pool.maxLoanRatio) revert RatioTooHigh();

// calculate the interest

(

uint256 lenderInterest,

uint256 protocolInterest

) = _calculateInterest(loan);

uint256 debtToPay = loan.debt + lenderInterest + protocolInterest;

// update the old lenders pool

_updatePoolBalance(

oldPoolId,

pools[oldPoolId].poolBalance + loan.debt + lenderInterest

);

pools[oldPoolId].outstandingLoans -= loan.debt;

// now lets deduct our tokens from the new pool

_updatePoolBalance(poolId, pools[poolId].poolBalance - debt);

pools[poolId].outstandingLoans += debt;

if (debtToPay > debt) {

// we owe more in debt so we need the borrower to give us more loan tokens

// transfer the loan tokens from the borrower to the contract

// @audit-issue no txn status checks and multiple transfer functions

IERC20(loan.loanToken).transferFrom(

msg.sender,

address(this),

debtToPay - debt

);

} else if (debtToPay < debt) {

// we have excess loan tokens so we give some back to the borrower

// first we take our borrower fee

uint256 fee = (borrowerFee * (debt - debtToPay)) / 10000;

// @audit-issue no txn status checks and multiple transfer functions

IERC20(loan.loanToken).transfer(feeReceiver, fee);

// transfer the loan tokens from the contract to the borrower

IERC20(loan.loanToken).transfer(msg.sender, debt - debtToPay - fee);

}

// @audit-issue no txn status checks and multiple transfer functions

// transfer the protocol fee to governance

IERC20(loan.loanToken).transfer(feeReceiver, protocolInterest);

// update loan debt

loans[loanId].debt = debt;

// update loan collateral

if (collateral > loan.collateral) {

// transfer the collateral tokens from the borrower to the contract

IERC20(loan.collateralToken).transferFrom(

msg.sender,

address(this),

collateral - loan.collateral

);

} else if (collateral < loan.collateral) {

// transfer the collateral tokens from the contract to the borrower

IERC20(loan.collateralToken).transfer(

msg.sender,

loan.collateral - collateral

);

}

emit Repaid(

msg.sender,

loan.lender,

loanId,

debt,

collateral,

loan.interestRate,

loan.startTimestamp

);

loans[loanId].collateral = collateral;

// update loan interest rate

loans[loanId].interestRate = pool.interestRate;

// update loan start timestamp

loans[loanId].startTimestamp = block.timestamp;

// update loan auction start timestamp

loans[loanId].auctionStartTimestamp = type(uint256).max;

// update loan auction length

loans[loanId].auctionLength = pool.auctionLength;

// update loan lender

loans[loanId].lender = pool.lender;

// update pool balance

pools[poolId].poolBalance -= debt;

emit Borrowed(

msg.sender,

pool.lender,

loanId,

debt,

collateral,

pool.interestRate,

block.timestamp

);

emit Refinanced(loanId);

}

Tools Used

Manual review and slither

Recommendations

To address this vulnerability, it is crucial to add array length checks before executing the loop. Ensure that the arrays passed as parameters have a reasonable and expected number of elements before proceeding with the logic.

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.