Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

ERC777 tokens can allow attacker to drain funds due to reentrancy

33audits

Summary

If this base token is ERC777 (extension of ERC20), we can call the addToPool() function to add funds to the pool and reenter the function to continous update our token balance while only sending the amount passed as an argument to the function.

Vulnerability Details

ERC777 has hooks that allow you to reenter a function. Since the docs weren't clear if ERC777 is allowed or not is must be mentioned that the contract is vulnerable to loss of funds if ERC777 were used.

function addToPool(bytes32 poolId, uint256 amount) external {

if (pools[poolId].lender != msg.sender) revert Unauthorized();

if (amount == 0) revert PoolConfig();

/// user reenters here and updates there balance to whatever amount they want

_updatePoolBalance(poolId, pools[poolId].poolBalance + amount);

// transfer the loan tokens from the lender to the contract

IERC20(pools[poolId].loanToken).transferFrom(

msg.sender,

address(this),

amount

);

}

Impact

A malicious attacker could drain the entire contract while only depositing 1 wei of tokens.

Tools Used

Manual review.

Recommendations

Either add a non reentrant modifier to the deposit function or use the CEI patter by calling updateBalance after the token transfer.

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.