Beedle - Oracle free perpetual lending
BeedleFi
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

The pool lender can maliciously modify interestRate to steal user funds

kutu

Summary

When the user borrows, poolId is passed in without checking the current pool status. The pool lender can listen to tx in mempool, and then immediately adjust interestRate to the maximum value to steal part of interest funds.

Vulnerability Details

// get the pool info
Pool memory pool = pools[poolId];
// make sure the pool exists
if (pool.lender == address(0)) revert PoolConfig();
// validate the loan
if (debt < pool.minLoanSize) revert LoanTooSmall();
if (debt > pool.poolBalance) revert LoanTooLarge();
if (collateral == 0) revert ZeroCollateral();
// make sure the user isn't borrowing too much
uint256 loanRatio = (debt * 10 ** 18) / collateral;
if (loanRatio > pool.maxLoanRatio) revert RatioTooHigh();
// create the loan
Loan memory loan = Loan({
lender: pool.lender,
borrower: msg.sender,
loanToken: pool.loanToken,
collateralToken: pool.collateralToken,
debt: debt,
collateral: collateral,
interestRate: pool.interestRate,
startTimestamp: block.timestamp,
auctionStartTimestamp: type(uint256).max,
auctionLength: pool.auctionLength
});

As the code above shows, the current state of the pool may not be consistent with the state when the user initiated the transaction, which may result in the loss of the user's funds.
The same goes for other parameters, such as auctionLength.

Impact

When the pool lender frontrun to modify interestRate, the user needs to bear high interest.

Tools Used

Manual review

Recommendations

Support user intent through parameters, specify interestRate.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.