Beedle - Oracle free perpetual lending
BeedleFi
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

A big fraction of reward WETH can get locked with a donation attack

KrisApostolov

Summary

A donation of staking tokens to the Staking.sol contract makes a proportion of all WETH fill-ups be locked forever due to the accounting being done with the real balance instead of with a tracking number.

Vulnerability Details

The calculation of how shares of each WETH refill should be split between stakers has a fundamental flaw. It resides in the use of TKN.balanceOf(address(this)) instead of using a tracking variable in the same manner as balance.

function update() public {
uint256 totalSupply = TKN.balanceOf(address(this));
if (totalSupply > 0) {
uint256 _balance = WETH.balanceOf(address(this));
if (_balance > balance) {
uint256 _diff = _balance - balance;
if (_diff > 0) {
// @audit using totalSupply to divide the amount leads to funds being allocated to donated tokens
uint256 _ratio = _diff * 1e18 / totalSupply;
if (_ratio > 0) {
index = index + _ratio;
balance = _balance;
}
}
}
}
}

Using the actual balance instead of the variable allows malicious users to donate to the contract, thus making it allocate rewards for tokens, which do not belong to anyone, thus locking them from ever being claimed.

Consider the following PoC as it demonstrates the vector:
https://gist.github.com/CrisCodesCrap/05775e07dd98e2673d0196d6c41b3773

Impact

A portion of all of the upcoming fill-ups will be locked forever.

Tools Used

Manual Review

Recommendations

Consider implementing the accounting and calculations of the whole contract with tracking variables instead of with real balances. Keep the amount of staked tokens in a tracking variable in the same manner as the balance variable used for keeping track of WETH.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.