Beedle - Oracle free perpetual lending

Summary

The smart contract contains a vulnerability in the giveLoan function, which can lead to wasted gas and failed transactions if users provide arrays with different lengths. The function is designed to process parallel arrays loanIds and poolIds, but it assumes that both arrays have the same length. As a result, if the lengths are not the same, the function will revert the transaction, causing unnecessary gas costs for users.

Vulnerability Details

The giveLoan function in the smart contract processes two arrays: loanIds and poolIds. It uses a for loop to iterate through the elements of both arrays with the assumption that both arrays have the same length. When accessing elements from these arrays using the same index i, there is no validation to ensure their lengths are equal, leading to an "index out of bounds" error if they differ.

Impact

The impact of this vulnerability is twofold. Firstly, users who unintentionally provide arrays with different lengths will experience failed transactions. When the function detects the mismatch in lengths, it will revert the transaction, consuming all the gas used for the transaction. This gas will not be refunded to the user, resulting in wasted gas fees.

Secondly, the failure of transactions due to this issue could potentially lead to user frustration and dissatisfaction with the application or platform utilizing the smart contract. Users may perceive the application as unreliable due to the unexpected transaction failures caused by the lack of array length validation.

Tools Used

Manual Review

Recommendations

Add Length Validation: Implement array length validation at the contract's entry point or off-chain to ensure that both loanIds and poolIds have the same length before calling the giveLoan function. If the lengths differ, the function call should be prevented, and users should be notified to correct their input data.