Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Insufficient Input Validation in setPool() Function

0xpublicgoods

Summary

The setPool() function in the contract does not validate that the p.loanToken address provided is not zero, it also does not validate that the p.poolBalance is bigger than zero.

Together, this allows for a Pool to be created with the zero address as the loanToken

Vulnerability Details

The setPool() function should validate that p.loanToken is a valid contract address. It does rely on an evm revert when transferFrom() is called on the zero Address, but this only happens when the poolBalance is more than the currentBalance, which in the case of a new pool would also be zero

Impact

Failure to validate the p.loanToken input can lead to pools being created with an invalid loan token, which may lead to loss of funds or other unexpected behaviour with regard to the novel functionality offered by this contract.

Tools Used

Manual Review

Recommendations

Add necessary input validations to ensure that the p.loanToken address is not zero.

Whilst this can be guarded on the frontend inputs, the ultimate checks are the smart contracts and the guard rails should ultimately be set here

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!