Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Unsafe use of ERC20s can be detrimental

trachev

Summary

Not checking the success of ERC20 transfers leads to numerous vulnerabilities

Vulnerability Details

In Lender.sol both collateral and loan tokens are unsafely transferred. There are many widely-used ERC20 tokens that do not revert on an unsuccessful transfer but instead return a boolean. The return value of transfer and transferFrom is never checked throughout the contract which could lead to wrong state changes even though tokens were never transferred.
For example, in the repay function a user may not have the necessary balance to repay their loan but if the loan token does not revert on failure the repay function would also not revert and they would be able to repay their loan for free, without actually sending any tokens.

Impact

The lack of safety when using ERC20s throughout the entire contract can lead to significant losses for both the protocol and its users.

Tools Used

Manual review

Recommendations

Use the SafeERC20 library.

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.