Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

`buyLoan` can be called on another user's pool, thus messing up their plans

pyro

Summary

buyLoan can be called by any user, even ones not owning a pool to move a random loan to a different pool.

Vulnerability Details

Although comments suggests that this function should only interact with your pool, there is no reinforcement on it. And because of that anyone can DoS any pool owner by simply moving any of the loans to his pool.

Example:

Pool owner is planing to leave the system, having 4k in loan tokens and last borrower of his spool has just payed 1k (5k in total)
Malicious user calls buyLoan on any random loan (that matches collateral and loan tokens) to move it to his pool and eat up his loan tokens.
Now pool owner is not being able to withdraw his loan tokens and needs to wait until this borrower pays his debt

Impact

Anyone can mess up the poo owner intentions and Dos them of their loan/collateral tokens.

Tools Used

Manual review

Recommendations

Have an if() to prohibit using this function with any pool that is not yours.

function buyLoan(uint256 loanId, bytes32 poolId) public {

Loan memory loan = loans[loanId];

+ if (msg.sender != loan.lender) revert Unauthorized();

...

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.