Beedle - Oracle free perpetual lending

BeedleFi

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Loss of funds for Borrowers due to Slippage when repaying the loan

0xumarkhatab

Summary

When the borrowers want to repay the loan, the loan might be 20 tokens but when the Transaction actually gets executed,
the additional interest rate can be accrued over that period of time due to which the borrower has to pay more money or token than he actually deserves like paying 40 instead of 20.

Vulnerability Details

If we look at the implementation of repay, we can see that it depends upon the _calculateInterest function
to see how many tokens the borrower has to pay.

Deep inside, _calculateInterest there is a dependency on the block.timestamp.

which increases over time.

function repay(uint256[] calldata loanIds) public {

for (uint256 i = 0; i < loanIds.length; i++) {

uint256 loanId = loanIds[i];

// get the loan info

Loan memory loan = loans[loanId];

// calculate the interest

(

uint256 lenderInterest,

uint256 protocolInterest

) = _calculateInterest(loan);

...

}

_calculateInterest

function _calculateInterest(

Loan memory l

) internal view returns (uint256 interest, uint256 fees) {

-> uint256 timeElapsed = block.timestamp - l.startTimestamp;

interest = (l.interestRate * l.debt * timeElapsed) / 10000 / 365 days;

fees = (lenderFee * interest) / 10000;

interest -= fees;

}

If a user submits the repay Transaction at time t1 and his amount to repay is 30 token,
then when the transaction actually gets executed at time t2, the tokens can be much larger than 30, maybe 1000.

This can happen due to the Transaction being executed by delay .
Possible causes

-> Network congestion
-> Priority fees for other transactions are high

This scenario will cause a loss of funds to the user if he has more than 30 tokens in his account.

if he does not have, then he will be subject to liquidation which is not a fair thing to him.

Impact

-> Loss of funds to Borrowers / Users

-> Loss of Trust of Users on Protocol

Tools Used

Manual Review

Recommendations

The protocol should devise some mechanism to record the time of instantiation of transaction,
to safeguard users' interests.

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

706

28 USDC / LOC

High Medium

18,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!