Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Malicious lender can front-runs to set loan auctionLength to 1

Crunch

Summary

Malicious lender can front-runs to set loan auctionLength to 1, results in a bad loan for the borrower.

Vulnerability Details

A loan can be put for auction at anytime, the auction will be ended after loan.auctionStartTimestamp + loan.auctionLength.

if (block.timestamp > loan.auctionStartTimestamp + loan.auctionLength)

revert AuctionEnded();

If auction is ended, the loan will be seized.

When a borrower create a loan by calling borrow, there is no check for the pool auction length, imagine the following scenario:

Alice submits a transaction to create a loan from a pool;
The pool lender Bob sees Alice's transaction in the mempool, and front-runs to decrease the pool auction length;
Bob's transaction gets executed, pool auction length is set to 1;
Alice's transaction gets executed, loan is created but loan auction length is 1.

Bob can then put the loan for auction immediately and the auction will be ended in a block, then Bob seize the loan and get the Alice's collaterals.

Impact

Borrower loses collateral.

Tools Used

Manual Review

Recommendations

When a loan is created from a pool, should check if the pool auction length is expected.

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.