Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Lender is able to seize the collateral immediately after startAuction()

sonny2k

Summary

In theory, the lender should only be able to seize the collateral if the loan has finished its auction. But the lender is able to speed up the process and seize the collateral almost immediately by setting the pool.auctionLength when setPool()

Vulnerability Details

Despite having zero number check on the auctionLength, the setPool() function lacks minimum auctionLength declaration. This can be manipulated by the lender if he/she puts 1 in the p parameter for auctionLength, which equals to 1 second. As the base time units of Solidity is seconds

https://docs.soliditylang.org/en/v0.8.19/units-and-global-variables.html#time-units

So, the lender will only have to wait for 1 second after startAuction() and then can seize the collateral.

POC

I have made the POC for this case:

please modify the auctionLength of the test_borrow() function in test/Lender.t.sol to 1 or 1 seconds (remove the days suffix) and paste the code snippet below to test/Lender.t.sol

function test_seizePoc() public {

test_borrow();

vm.startPrank(lender1);

uint256[] memory loanIds = new uint256[](1);

loanIds[0] = 0;

lender.startAuction(loanIds);

(, , , , , , , , uint256 startTime, ) = lender.loans(0);

assertEq(startTime, block.timestamp);

vm.warp(block.timestamp + 1 seconds);

lender.seizeLoan(loanIds);

// balance of lender after seize = collateral - govFee

console.log("The collateralToken balance of lender after seize: ", collateralToken.balanceOf(address(lender1)));

}

Use forge test -vv --mt test_seizePoc to run this test case.

Impact

Borrowers may unintentionally ignore the auctionLength of the pool when they borrow a loan from or refinance a loan to that pool (if the auctionLength is displayed on the UI) and have their collateral seized almost immediately.

Tools Used

Manual

Recommendations

Declare a minimum auctionLength so that the loan can't be seized so fast.
Alert some warnings to warn the borrowers about short auctionLength of the pool they want to borrow.

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.