Beedle - Oracle free perpetual lending
BeedleFi
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Malicious lender can increase borrower's debt by giving loan to himself

Crunch

Summary

Malicious lender can increase loan debt by giving loan to himself.

Vulnerability Details

A lender can give his loan to another pool, or give to himself if he wants to. This can be done by leveraging giveLoan method.

loanIds and poolIds are passed to giveLoan method, after doing some checks, loan will be updated as per the new pool info.

loans[loanId].lender = pool.lender;
loans[loanId].interestRate = pool.interestRate;
loans[loanId].startTimestamp = block.timestamp;
loans[loanId].auctionStartTimestamp = type(uint256).max;
loans[loanId].debt = totalDebt;

It is worth noting that the loans[loanId].debt is updated to totalDebt where totalDebt is totalDebt = loan.debt + lenderInterest + protocolInterest, which means borrower's debt is increased.

A malicious lender can give a loan to his own pool by many times periodically, and borrower's debt will be increased significantly.

This is obviouly wrong because the way of calculating loan interest is simple interest, the accumulated interest of previous periods should not be taken into account when calculating the interest.

function _calculateInterest(
Loan memory l
) internal view returns (uint256 interest, uint256 fees) {
uint256 timeElapsed = block.timestamp - l.startTimestamp;
interest = (l.interestRate * l.debt * timeElapsed) / 10000 / 365 days;
fees = (lenderFee * interest) / 10000;
interest -= fees;
}

Impact

More debt means more interest, borrower has to pay more tokens to repay.

Tools Used

Mannual Review

Recommendations

When a loan is given to another pool (or the same pool), the accumulated interest of previous periods should not be added to the loan debt.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.