Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Lender fails to giveLoan because of inconsistent length between `loadIds` and `poolIds`

0xackermann

Vulnerability Details

Impact

Lender fails to giveLoan because of inconsistent length between loadIds and poolIds, which wastes the gas fees of the Lender.

Proof of concept

function giveLoan(

uint256[] calldata loanIds,

bytes32[] calldata poolIds

) external {

for (uint256 i = 0; i < loanIds.length; i++) {

uint256 loanId = loanIds[i];

bytes32 poolId = poolIds[i];

...

}

Here is the giveLoan function which does not check if the loanIds and poolIds have the same length. For example, the lender mistakenly leaves out one of the poolIds which means the last loanId does not map to any poolId since loanIds.length = poolIds.length + 1. Hence, since there is an out-of-bounds error when getting the pool id, poolId = poolIds[i], the entire function will revert due to this error.

// Lender.t.sol

function test_giveLoanDifferentLength() public {

test_borrow();

vm.startPrank(lender2);

Pool memory p = Pool({

lender: lender2,

loanToken: address(loanToken),

collateralToken: address(collateralToken),

minLoanSize: 100 * 10 ** 18,

poolBalance: 1000 * 10 ** 18,

maxLoanRatio: 2 * 10 ** 18,

auctionLength: 1 days,

interestRate: 1000,

outstandingLoans: 0

});

lender.setPool(p);

uint256[] memory loanIds = new uint256[](1);

loanIds[0] = 0;

// different length

bytes32[] memory poolIds = new bytes32[](0);

vm.startPrank(lender1);

lender.giveLoan(loanIds, poolIds);

// [FAIL. Reason: Index out of bounds] test_giveLoanDifferentLength()

}

forge test --match-test giveLoanDifferentLength -vvvv

How to fix

function giveLoan(

uint256[] calldata loanIds,

bytes32[] calldata poolIds

) external {

+ if (loanIds.length != poolIds.length) revert GiveLoanLengthMismatch();

for (uint256 i = 0; i < loanIds.length; i++) {

uint256 loanId = loanIds[i];

bytes32 poolId = poolIds[i];

...

}

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!