Beedle - Oracle free perpetual lending

Summary

The Lender.sol smart contract lacks a mechanism for accurately determining the USD value of loanToken and collateralToken during the execution of the borrow() function. This could lead to a potentially inaccurate calculation of the loan-to-value (LTV) ratio, which in turn could result in undercollateralized loans and pose significant risks to lenders.

Vulnerability Details

In the borrow() function of the Lender.sol contract, the loanRatio is calculated. However, this calculation is done without any mechanism to obtain the current market prices (in USD) of loanToken and collateralToken. As a result, the calculated loanRatio might not reflect the true LTV ratio.

Typically, DeFi applications use price oracles to provide up-to-date price data. However, this contract does not use any oracle or similar mechanism for this purpose, thus failing to ensure that the collateral is sufficient to cover the value of the loan.

Impact

Without an accurate LTV calculation, the contract might accept loans that are undercollateralized. If a borrower defaults on an undercollateralized loan, the lender could lose a significant portion of the loaned amount. This vulnerability poses a high risk to lenders and could undermine the credibility of the lending platform.

Tools Used

• Manual code review

Recommendations

It is recommended to implement a reliable oracle to provide the current market prices (in USD) of loanToken and collateralToken. This would enable the contract to calculate the LTV ratio accurately, ensuring that all loans are sufficiently collateralized.

Consider using multiple oracles and taking the median price to mitigate the risk of oracle failure or manipulation. Additionally, implementing a fallback mechanism to handle oracle failures could provide further robustness.