Beedle - Oracle free perpetual lending

Summary

The Lender.sol smart contract does not use a modifier to verify pool ownership, even though several functions require this verification. Instead, each function includes its own conditional statement to check if the sender is the pool's owner. This approach reduces code readability and makes it more difficult to understand the contract's logic.

Vulnerability Details

In the Lender.sol contract, several functions require the caller to be the owner of a pool. These functions include the setPool function, which uses a conditional statement to check if msg.sender is the pool's lender. If the sender is not the lender, or if several other conditions are not met, the function reverts with a generic "PoolConfig" error message. This approach makes it difficult to determine the exact cause of the error, as it could be due to one of several conditions.

Impact

The lack of a pool ownership modifier in the contract reduces code readability and makes it more difficult to understand the contract's logic. This can lead to difficulties in maintaining the code and identifying potential issues. Furthermore, the use of a generic error message when the sender is not the pool's owner makes it difficult to identify the exact cause of an error, which can hinder debugging efforts.

Tools Used

• Manual code review

Recommendations

It's recommended to create a modifier that checks if the sender is the owner of a pool. This modifier can be used in all functions that require this verification, which will improve code readability and make it easier to understand the contract's logic.

Additionally, consider providing more specific error messages in the setPool function. Instead of reverting with a generic "PoolConfig" error message, revert with a specific message for each condition. This will make it easier to identify the exact cause of an error and facilitate debugging.