Beedle - Oracle free perpetual lending

Summary

The function sellProfits is declared public and without any access control:

This lets anyone swap any of the tokens in the Fees contract, at any time they like which can potentially cause the loss of the accrued fees by the protocol.

Vulnerability Details

This issue combined with the fact that there is no slippage protection at all when swapping - amountOutMinimum: 0 means that there is a very high chance of a bad actor intentionally swapping the protocols profits in pools with very high slippage causing the loss of accrued protocol fees.

Note: This issue is completely different than the issue about lack of slippage protection. Even if slippage protection is implemented, you don't want anyone to be able to swap your accrued rewards at any time they like. I.e extreme market conditions(you probably wouldn't want to let anyone swap your accrued USDC when USDC is depegged and -10% of its normal value, and these things are real and happen).

Effectively, an attacker can create a sandwich attack on-demand with this vulnerability:

1. Swap a big amount of WETH into Token, where Token is the target _profits token making the price of Token drop relatively to WETH.

2. Execute the sellProfits(address _profits) function where you will receive a lot less WETH than expected because the price of the Token you're swapping has dropped

3. Swap back his Tokens into WETH now that the rate is better because of your added Token liquidity

Impact

At the very least you're letting random actors swap your accrued fees in unfavorable market conditions.

At worst, they are losing your funds and profiting from it.

Tools Used

Manual review

Recommendations

Add access control letting the swaps be performed only by the governance or whoever is responsible for the fees.