Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Lenders can force other pools to take loans.

ADM

Summary

Due to no check in buyLoan() a user can buy a loan on behalf of another pool lender and as they will be set as the loan.lender the pool lender will be unable to remove the loan with giveLoan or startAuction.

Vulnerability Details

In buyLoan there is no check that the msg.sender is the new pools lender and poolId can be input as a function argument, as a result any one can call it on behalf of another pool, buy the loan and have themselves set as the new loan.lender.
If the pool lender then wishes to give the loan away or start an auction they will be unable to as they were never set as the loan.lender, the user who called buyLoan was.

Impact

A user is able to force a pool lender to take on a loan that they are unable to remove.

Tools Used

Manual Review

Recommendations

Add a check to buyLoan() confirming msg.sender is pool.lender.

require(pools[poolId].lender == msg.sender);

or if you wish the buyLoan to be callable by anyone have the loan.lender set to the pool lender not msg.sender.

loans[loanId].lender = pools[poolId].lender;

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!