Beedle - Oracle free perpetual lending

Summary

The borrower's debt is updated but the increase debt amount is not transferred to the borrower.

Vulnerability Details

When a lender gives his loan to another lender or a lender buys a loan during the refinance auction then the debt of borrower is increased as follows loans[loanId].debt = totalDebt but the increased debt i.e lenderInterest + protocolInterest is not transferred to the borrower due to which when the borrower repays the loan he has to pay the debt = totalDebt + (lenderInterest + protocolInterest) and these lenderInterest and protocolInterest is calculated on totalDebt whereas the debt transferred to the borrower is less than totalDebt so the borrower is paying interest on the debt he never took. Therefore the interest of the new pool might be less than the previous pool but the borrower will be paying more amount of debt and therefore more money when he repays the the loan.

Impact

Borrower is paying more debt than he took and thus paying more interest than he would have paid to the previous lender.

Tools Used

Manual Review

Recommendations

When a new lender buys a loan or a loan is given to a new lender then transfer the remaining debt to the borrower.

// calculate the interest
(uint256 lenderInterest, uint256 protocolInterest) = _calculateInterest(
loan
);

    // reject if the pool is not big enough
    uint256 totalDebt = loan.debt + lenderInterest + protocolInterest;

Above are the lines where the interest is calculated before the updation of the loan to the new pool , we should transfer lenderInterest + protocolInterest to the borrower then only it would be fair for the borrower to pay the interest on the new increased debt

One thing to keep in mind is that we need to give this increased debt amount after deducting the fees i.e uint256 fees = (debt * borrowerFee) / 10000; in this case debt will be replaced by lenderInterest + protocolInterest and after that IERC20(loan.loanToken).transfer(borrower, lenderInterest + protocolInterest- fees)