Beedle - Oracle free perpetual lending
BeedleFi
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Missing validation allows an attacker to steal and exercise a loan without expense

hash

Summary

Due to missing validation for the input pool in the buyAuction function, an attacker can steal an auctioned loan and convert it to the collateral or obtain the debt amount with a negligible expense.

Vulnerability Details

The buyAuction function doesn't validate the input poolId for the same set of loan and collateral tokens as the loan. The only necessary conditions for a pool to eligible are:

  1. The interest rate must not be higher than the currentAuctionRate

  2. The value of pool balance must not be less than the current total debt of the loan.

https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L465-L534

function buyLoan(uint256 loanId, bytes32 poolId) public {
...... more code
uint256 timeElapsed = block.timestamp - loan.auctionStartTimestamp;
uint256 currentAuctionRate = (MAX_INTEREST_RATE * timeElapsed) /
loan.auctionLength;
// validate the rate
if (pools[poolId].interestRate > currentAuctionRate) revert RateTooHigh();
....... more code
// reject if the pool is not big enough
uint256 totalDebt = loan.debt + lenderInterest + protocolInterest;
if (pools[poolId].poolBalance < totalDebt) revert PoolTooSmall();
...... more code
}

This allows an attacker to create a pool with random tokens and perform the following attack:

  1. The attacker first creates two ERC20 tokens and then creates a pool with the following state:

    1. balance > totalDebt of the auctioned loan.

    2. interest rate < currentAuctionRate

  2. The attacker buys the auctioned loan passing in this newly created poolId. Since the necessary conditions are met, the loan is now transferred to the attacker.

https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L465-L534

function buyLoan(uint256 loanId, bytes32 poolId) public {
........ more code
// update the loan with the new info
loans[loanId].lender = msg.sender;
loans[loanId].interestRate = pools[poolId].interestRate;
loans[loanId].startTimestamp = block.timestamp;
loans[loanId].auctionStartTimestamp = type(uint256).max;
loans[loanId].debt = totalDebt;
...... more code
}

  1. To be able to receive repayments and to seize the loan the attacker needs to have a pool with the same set of loan / collateral token and an outstanding debt greater than or equal to the debt of this loan.

https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L292-L345

function repay(uint256[] calldata loanIds) public {
for (uint256 i = 0; i < loanIds.length; i++) {
uint256 loanId = loanIds[i];
// get the loan info
Loan memory loan = loans[loanId];
....... more code
bytes32 poolId = getPoolId(
loan.lender,
loan.loanToken,
loan.collateralToken
);
// update the pool balance
_updatePoolBalance(
poolId,
pools[poolId].poolBalance + loan.debt + lenderInterest
);
pools[poolId].outstandingLoans -= loan.debt;
....... more code
}

https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L548-L586

function seizeLoan(uint256[] calldata loanIds) public {
for (uint256 i = 0; i < loanIds.length; i++) {
uint256 loanId = loanIds[i];
// get the loan info
Loan memory loan = loans[loanId];
...... more code
bytes32 poolId = keccak256(
abi.encode(loan.lender, loan.loanToken, loan.collateralToken)
);
// update the pool outstanding loans
pools[poolId].outstandingLoans -= loan.debt;
....... more code
}

  1. For this the attacker creates a pool with the same set of loan / collateral token and sets the balance of the pool equal to the debt of this loan. To get an outstanding debt, the attacker sets the maxLoanRatio to type(uint256).max and borrows the debt amount himself for negligible amount of collateral.

  2. The attacker then creates an auction for this loan. Now he will either be able to:

    1. Obtain the debt amount from the borrower if the borrower repays.

    2. Obtain the debt amount if somebody else buys this loan.

    3. Obtain the collateral amount by seizing the loan if nobody buys.

Impact

Auctioned loans can be stolen and converted to the collateral amount or the debt amount. This will disrupt the accounting of the system and will make it insolvent. ie. eventually for a pool owner, either there wouldn't be enough tokens in the contract to withdraw funds from a pool or there would be no collateral to seize from.

Tools Used

Manual review

Recommendations

Keep validations for the pool tokens and the owner in the buyAuction function.

https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L465-L534

function buyLoan(uint256 loanId, bytes32 poolId) public {
...... more code
// reject if the tokens don't match
if (pool.loanToken != loan.loanToken) revert TokenMismatch();
if (pool.collateralToken != loan.collateralToken)
revert TokenMismatch();
...... more code
// update the loan with the new info
loans[loanId].lender = pools[poolId].lender;
loans[loanId].interestRate = pools[poolId].interestRate;
loans[loanId].startTimestamp = block.timestamp;
loans[loanId].auctionStartTimestamp = type(uint256).max;
loans[loanId].debt = totalDebt;
emit Borrowed(
loan.borrower,
pools[poolId].lender,
loanId,
loans[loanId].debt,
loans[loanId].collateral,
pools[poolId].interestRate,
block.timestamp
);
emit LoanBought(loanId);
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.