Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Incorrect setting of the lender while buying loan

aak

Summary

Anyone can call function buyLoan(uint256 loanId, bytes32 poolId) and become the lender of the loan.

Vulnerability Details

buyLoan() can be called by anyone for any loan and pool. The function then transfers the loan to that pool after all the checks pass. Finally, it sets the lender of the transferred loan to msg.sender here:

// update the loan with the new info

loans[loanId].lender = msg.sender;

Since anyone call this function, lender can be set to an address different from the pool's actual lender. After this, if the loan is seized by calling seizeLoan(), loan's lender is transferred the collateral:

IERC20(loan.collateralToken).transfer(

loan.lender,

loan.collateral - govFee

);

Since loan.lender is set incorrectly, the collateral tokens are effectively stolen.

Impact

Collateral token can be incorrectly transferred

Tools Used

Manual Review

Recommendations

Lender assignment should be based on the actual lender of the pool through poolId.lender

-loans[loanId].lender = msg.sender;

+loans[loanId].lender = pools[poolId].lender;

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.