Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Loan buyer can buy a loan by using other lender's pool

Crunch

Summary

Loan buyer can buy a loan for free.

Vulnerability Details

Loan buyer buys a loan in a refinance auction by calling buyLoan method.

loanId and poolId are passed to buyLoan method, and this method does some validations against the pool:

if (pools[poolId].interestRate > currentAuctionRate) revert RateTooHigh();

if (pools[poolId].poolBalance < totalDebt) revert PoolTooSmall();

After validation pool balance will be updated:

_updatePoolBalance(poolId, pools[poolId].poolBalance - totalDebt);

And loan will be owned by the buyer:

loans[loanId].lender = msg.sender;

It is worth noting that there is no check on if buyer is the pool lender, so buyer can buy the loan by using other lender's pool, results in buyer gets the loan for free and pool lender loses balance.

Impact

Buyer gets the loan for free and pool lender loses balance.

Tools Used

Manual Review

Recommendations

When buyer buys a loan, should check if the buyer is pool lender.

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.